Foreign ransomware extortionists disabled access to some critical Steinman Communications systems and computer files in what company executives described as a sophisticated criminal attack that continues to limit the company’s ability to publish a complete newspaper.
The ransomware attacker or group of attackers, whose individual identities are unknown, demanded the 227-year-old news organization pay an undisclosed sum of money in return for unlocking critical files typically used in printing the daily LNP and LNP Media Group’s other publications.
Company officials declined to say whether they intend to pay the ransom or ignore the demand and continue to work without the compromised files and machines, a move other firms have made with some level of success.
A cybersecurity firm hired by Steinman Communications has been working to evaluate the scope and nature of the attack on the company’s systems since it was discovered.
Company officials, who discovered the attack on Sept. 30 and initially described it as a “significant criminal act,” have reported the matter to the FBI. They said they have no evidence the cyberattacker obtained subscriber payment information; Steinman Communications uses a third-party payment processor and does not store that information on its own network.
The company’s IT experts also temporarily shut down some systems and operations to block the spread of the attack.
Caroline Muraro, the president of Steinman subsidiary LNP Media Group, said she could not comment on the specifics of the attack while a criminal investigation is ongoing. But she said she is appreciative of readers and customers for their patience.
She added: "I can say that I am extremely proud of our entire team, who have shown tremendous dedication in continuing our operations as best as possible under the circumstances. In parallel, our IT team continues to work tirelessly around the clock to bring our systems back online.”
While the identity of the ransomware attackers remains unclear, federal law enforcement and cybersecurity officials have issued new warnings in recent weeks about a sophisticated Russian outfit known as Conti.
The criminal enterprise has conducted ransomware attacks on hundreds of companies, municipalities, police and healthcare systems by using malicious email attachments, bogus links and other nefarious practices.
Impact on printing
In the first 48 hours at Steinman Communications, the attack significantly hindered the company's ability to publish and distribute LNP and its weekly newspapers. Since last week, though, the production and press crews have slowly rebuilt some of their capabilities without access to that complex network of computer systems they need to print a newspaper.
It has been able to continue printing each of its newspapers, in smaller format in some cases.
“The network outage that we have experienced over the past week has eliminated our team’s ability to use the automated systems we have in place that allow us to efficiently lay out, print, and distribute LNP and the many other publications we publish and print on a daily basis,” said Justin Bucks, the president of Susquehanna Printing in East Lampeter Township, the Steinman Communications subsidiary that prints the newspaper.
“As a result, processes such as pagination, layout, ad building, photo toning, plate-making, and control of the press are currently being done manually or through new time-consuming processes,” he said. “So many members of our team have exhibited extraordinary levels of creativity, determination, perseverance, and self-sacrifice to continue publishing, printing, and distributing our award-winning publications.”
Steinman Communications owns LNP Media Group, which publishes LNP and several weekly newspapers, including Lancaster Farming, the leading newspaper for farmers and agricultural industry leaders the mid-Atlantic region; three community newspapers, The Ephrata Review, Lititz Record-Express and Elizabethtown Advocate; and The Caucus, an investigative newspaper covering state government.
Company officials say it is not clear how soon they'll be able to return to publishing newspaper editions that contain all traditional sections and at typical page counts.
About ransomware attacks
Federal law-enforcement officials declined to comment because the investigation is ongoing.
The FBI said earlier this year that Conti was responsible for ransomware attacks on more than 400 companies, including 290 in the United States. Its demands have been as large as $25 million.
Chester Wisniewski, a research scientist at the large global cyber-security company Sophos, said the Conti Group is "probably the biggest or the most prolific" of ransomware firms operating today.
"We’ve had more customers victimized by Conti than any other brand,” he said.
Wisnieski said the Conti Group itself employs hackers who attack companies, but that it also markets its ransomware tools to independent hackers, who in turn give Conti a share of the ransom.
It is not clear whether the Conti Group or an independent cyberattacker broke into LNP Media Group's systems.
It is also not clear how the cyberattacker gained access. The new generation of ransomware attacks typically use malicious email links and attachments, as well as stolen remote desktop credentials, according to the FBI.
Such attacks have grown in frequency over the past two years. Homeland Security Secretary Alejandro Mayorkas said in May that the number of ransomware cases quadrupled in the United States in 2020.
“Recent ransomware attacks ... underscore the growing threat that ransomware and digital extortion pose to the nation, and the destructive and devastating consequences ransomware attacks can have on critical infrastructure,” the office of Deputy U.S. Attorney General Lisa O. Monaco wrote in a June memo.
Cybersecurity specialists have said part of the reason is many companies are too quick to pay the ransom because they’re able to get reimbursement through insurance policies.
Marty Edwards, who worked as a senior cybersecurity official in the Department of Homeland Security from 2011 to 2017, told The Wall Street Journal in May that ransom payments create a vicious cycle.
“The insurance company pays the ransom, the criminals make more money, so they make more ransomware, which leads to more insurance, which leads to more payment …” he told the newspaper.
Steinman Communications officials declined to say whether the company carries insurance for ransomware attacks.
Ransomware attackers typically steal or encrypt files, servers and workstations and threaten to sell the information stored on them or publish it online. The attackers often contact the victims through an online portal to complete the transaction; some offer customer support to help their victims unlock encrypted files after the ransom payment.
In 2018, a ransomware attack forced the publisher of major newspapers including the Chicago Tribune, Baltimore Sun and Hartford Courant to print smaller editions. In June, Cox Media was hit by a ransomware attack that disrupted several of its TV and radio stations. And earlier this month, a ransomware attack took down websites run by Sandhills Global including TractorHouse, AuctionTime and Motorsports Universe.
In June of 2019, Eurofins Lancaster Laboratories announced that it had been the target of a ransomware attack that disrupted “many of its IT systems in several countries.” Some employees at Lancaster Labs in Leola and other Eurofins locations were sent home from work multiple times because their equipment had been shut down.
Three weeks after the attack, Eurofins said “essentially all” of its production and reporting IT systems were fully restored, while work continued on “less important back office and software development systems.” The London-based BBC public broadcasting company reported that Eurofins Scientific had paid an unspecified amount to the hackers.
In February of this year, a cyberattack on Millersville University’s computer network exposed the personal information of a “handful” of people and prompted the school to cancel in-person classes. A university spokesperson told LNP|LancasterOnline in June that the hackers hadn’t been identified and that they hadn’t demanded a ransom.
Stephen diFilipo, Millersville’s chief technology officer, said the university shut down its computer systems as soon as it noticed suspicious activity on its network and began work to prevent the attack from spreading.
“There are a lot of moving pieces,” he said. “It's like trying to solve six Rubik’s Cubes at one time with two hands. You think you're prepared, but you're never ready for the level of decision-making that comes at one time.”
The university eventually regained control of its network, diFilipo said. The attack prompted the school to speed up plans that had already been underway to improve network security.
Tracking down and prosecuting cyberattackers is difficult, but authorities have been successful in preventing some ransomware proceeds from going to them.
In one of the most highly publicized cases, the Justice Department seized the equivalent of $2.3 million in cryptocurrency paid by Georgia-based Colonial Pipeline Co. to a criminal hacking group called DarkSide. The spring ransomware attack forced the pipeline to shut down for more than a week, prompting fuel shortages up and down the East Coast.
In the Millersville attack, diFilipo said the university consulted with cybersecurity experts and the FBI and decided it would not pay any ransom had it received such a demand for money.
Wisnieski said he's torn over whether firms should pay ransoms.
"... Every time we pay, we are obviously just encouraging more of this behavior," he said. " … The person in me who cares about society says, ‘Don't ever pay the ransom.’
"But the truth is, when you’re sitting there with that victim ... how do you say to that person, ‘You shouldn't pay the ransom because it’s bad for society, but oh by the way, your business might go bankrupt?’”