Full Report
Media conglomerate Lee Enterprises told regulators on Friday that hackers had stolen files and encrypted “critical applications” as part of an incident that impacted the operations of dozens of newspapers nationwide.
Analysis Summary
# Incident Report: Lee Enterprises Ransomware-Style Attack Disrupts Nationwide Newspaper Operations
## Executive Summary
In early February 2025, media conglomerate Lee Enterprises experienced a significant cyberattack resulting in the encryption of critical applications and the exfiltration of company files. The incident severely impacted operations, particularly the distribution of print editions and ancillary products, leading the company to anticipate a material financial impact. The response involved immediate forensic investigation and a phased recovery effort still underway at the time of reporting.
## Incident Details
- Discovery Date: Early February 2025 (Exact date of discovery not specified, but impact began then)
- Incident Date: Began in early February 2025
- Affected Organization: Lee Enterprises (Parent company of 72 newspapers and nearly 350 weekly/specialty publications)
- Sector: Media/Publishing
- Geography: Nationwide (Operations across 25 states)
## Timeline of Events
### Initial Access
- Date/Time: Beginning early February 2025
- Vector: Unspecified ("threat actors unlawfully accessed the Company’s network")
- Details: The attack resulted in encryption of critical applications and data exfiltration. The method strongly bears the hallmarks of a ransomware attack.
### Lateral Movement
- Details: Not explicitly detailed, but necessary for encryption of "critical applications" and file exfiltration across the nationwide network.
### Data Exfiltration/Impact
- Details: Threat actors exfiltrated certain files. Critical applications were encrypted, directly impacting distribution of print products, billing, collections, and vendor payments.
### Detection & Response
- Detection: The incident was detected when publication operations began to be disrupted. The company filed an SEC report on the Friday before Feb 18th, 2025, detailing the severity.
- Response Actions: Initiated preliminary investigations and forensic analysis, began a "phased recovery" expected to take several weeks.
## Attack Methodology
- Initial Access: Unspecified network intrusion.
- Persistence: Not explicitly detailed, likely established to execute encryption/exfiltration.
- Privilege Escalation: Not explicitly detailed, required to encrypt "critical applications."
- Defense Evasion: Not explicitly detailed, but successful in causing widespread operational disruption.
- Credential Access: Not explicitly detailed.
- Discovery: Not explicitly detailed.
- Lateral Movement: Implied by the scope of encrypted applications across a large portfolio.
- Collection: "Exfiltrated certain files."
- Exfiltration: File exfiltration occurred prior to or concurrent with encryption.
- Impact: Encryption of critical business applications, leading to disruption of print distribution and financial processes.
## Impact Assessment
- Financial: Expected to have a "material impact" on the Company’s financial condition or results of operations. Weekly and ancillary products (5% of operating revenue) were still disrupted.
- Data Breach: Certain files were exfiltrated. (Number/type of files not specified).
- Operational: Significant delays in print edition deliveries (including major papers like St. Louis Post-Dispatch, Arizona Daily Star) and partial limitation of online operations. Billing, collections, and vendor payments were impacted.
- Reputational: Public statements were required across their portfolio due to widespread service disruption.
## Indicators of Compromise
- Network indicators: None provided (Defang required).
- File indicators: None provided.
- Behavioral indicators: Encryption of critical applications; disruption of distribution, billing, and payment systems.
## Response Actions
- Containment measures: Not explicitly detailed, beyond initiation of forensic investigation.
- Eradication steps: Phased recovery effort underway.
- Recovery actions: Implementing a phased recovery plan for impacted systems over the coming weeks.
## Lessons Learned
- The incident highlights the severe operational and financial risks faced by large, geographically dispersed media conglomerates due to successful cyberattacks, particularly those resembling ransomware.
- Disruption to ancillary products (5% revenue stream) suggests a potential gap in redundancy or segmentation between core and ancillary services.
## Recommendations
- Enhance network segmentation to isolate critical operational systems (like billing and distribution) from less critical services to limit the scope of future encryption events.
- Accelerate full forensic investigation to understand the initial access vector and confirm the complete scope of data exfiltrated.
- Implement robust, offline backups for all critical applications, ensuring recovery procedures are regularly tested to minimize downtime from encryption events.