Ransomware group claims it’s behind cyberattack on Inquirer

A ransomware group the FBI says has hacked businesses and governments around the world claimed responsibility Tuesday for a cyberattack on The Inquirer’s internet servers.

The group, which calls itself Cuba, alleged that it stole Inquirer files in the May 12 attack, and posted a trove of stolen data online — only to remove the claim from its website Wednesday.

The group posts stolen files from its attacks to a site on the dark web. Elizabeth H. Hughes, The Inquirer’s publisher and chief executive, said by email Tuesday that the company has seen no evidence to date that any information related to The Inquirer was actually shared online.

Hughes said Wednesday that the company was aware that Cuba subsequently removed its claim, but did not say when asked whether The Inquirer had paid a ransom for Cuba to do so.

A preliminary review by Inquirer reporters of a dark website operated by Cuba did not uncover documents that appeared to come from within the company.

The attack disrupted the production of an edition of the May 14 Sunday print newspaper, and in the following days led Inquirer management to take selected computer systems offline while forensics experts launched an investigation. The newsroom was temporarily closed. Online publication was not interrupted.

Hughes said the investigation was ongoing, including into whether Inquirer employees’ personal information was impacted.

“Should we determine that any personal information was affected, we will notify and support those individuals,” Hughes said. “We will provide updates to employees as additional information becomes available to be shared.”

The FBI and Department of Homeland Security have put out alerts on the Cuba group for its role in at least 100 cyberattacks since it surfaced in 2019, netting $60 million in extorted funds. The group has been linked to several high-profile attacks targeting the Ukrainian and Montenegrin governments and organizations involved in critical U.S. infrastructure.

A spokesperson for the FBI’s Philadelphia division said that the bureau was aware of the Inquirer cyberattack but that it does not comment on specific incidents.

“When the FBI learns about potential cyberattacks, it’s customary that we offer our assistance in these matters,” the spokesperson said.

Cuba’s members have not been identified, though cyber security reports indicate its ranks are small and experienced in targeting large organizations within the financial services, government, health care, and IT sectors.

One cyber security report suggests that the group regularly practices “double extortion,” in which data and documents are stolen from an organization and then published online if a ransom goes unpaid.

Hughes said Inquirer management had no communication with Cuba before the attack.She did not say whether there has been subsequent communication.

In some prior attacks, Cuba used phishing tactics to lure victims to download ransomware through legitimate apps such as PDF readers or company websites. Ransomware is a kind of malware that encrypts files, making them unusable while access is held hostage until payment is received.

This kind of attack has evolved in recent years, said Runa Sandvik, a cybersecurity expert and consultant specializing in news organizations and activists: The attackers both encrypt the files and also steal them.

”Now there’s this additional element of blackmail to it, where they say you have to pay to get your files back. And if you don’t pay, we’re going to leak what we have,” said Sandvik, who previously led digital security experts at the New York Times.

Sandvik said the costs of such ransomware attacks extend beyond the initial scramble to respond. Insurance premiums may go up, for example, and there may be financial costs from any legal exposure. News organizations that have their systems breached also face the possible release of sensitive news-gathering information, such as reporting notes and source information.

”It could reveal really sensitive information about draft stories … stories that are going through pre-publication legal review,” she said.

Cuba has reportedly used other methods to install malware, such as exploiting a vulnerability in certain Microsoft email servers.

Hughes previously declined to say whether The Inquirer was asked to pay a ransom or whether the group responsible for the cyberattack had been in contact with company management.

The attack came days before The Inquirer’s vital coverage of the Democratic mayoral primary and regional elections, and was considered the most significant disruption to operations since a blizzard in 1996.

Staff writers Ryan Briggs and Jonathan Lai contributed to this article.

This article has been updated to reflect developments on May 24.