A cyberattack that appears to have originated from outside the United States caused major printing and delivery disruptions at several newspapers across the country on Saturday including the Los Angeles Times, according to a source with knowledge of the situation.

The attack led to distribution delays in the Saturday edition of The Times, the San Diego Union-Tribune, the Chicago Tribune, Baltimore Sun and several other major newspapers that operate on a shared production platform. It also stymied distribution of the West Coast editions of the Wall Street Journal and New York Times, which are all printed at the Los Angeles Times’ Olympic printing plant in downtown Los Angeles.

“We believe the intention of the attack was to disable infrastructure, more specifically servers, as opposed to looking to steal information,” said the source, who spoke on the condition of anonymity because he was not authorized to comment publicly.

No other details about the origin of the attack were immediately available, including the motive. The source identified the attacker only as a “foreign entity.”


All papers within The Times’ former parent company, Tribune Publishing, experienced glitches with the production of papers. Tribune Publishing sold The Times and the San Diego Union-Tribune to Los Angeles businessman Dr. Patrick Soon-Shiong in June, but the companies continue to share various systems, including software.

“Every market across the company was impacted,” said Marisa Kollias, spokeswoman for Tribune Publishing. She declined to provide specifics on the disruptions, but the company properties include the Chicago Tribune, Baltimore Sun, Annapolis Capital-Gazette, Hartford Courant, New York Daily News, Orlando Sentinel and South Florida Sun Sentinel.

Tribune Publishing said in a statement Saturday that “the personal data of our subscribers, online users, and advertising clients has not been compromised. We apologize for any inconvenience and thank our readers and advertising partners for their patience as we investigate the situation. News and all of our regular features are available online.”

The Times said the problem was first detected Friday. Technology teams made significant progress in fixing it, but were unable to clear all systems before press time.


Several individuals with knowledge of the Tribune situation said the attack appeared to be in the form of “Ryuk” ransomware. One company insider, who was not authorized to comment publicly, said the corrupted Tribune Publishing computer files contained the extension “.ryk,” which is believed to be a signature of a “Ryuk” attack.

Cybersecurity experts have known about “Ryuk” ransomware for months. This particular variant, which is distributed by “malicious spam” is “not like common ransomware,” according to an August advisory issued by the U.S. Department of Health and Human Services.

“Ryuk” attacks are “highly targeted, well-resourced and planned,” according to the August advisory. Victims are deliberately targeted and “only crucial assets and resources are infected in each targeted network,” the government’s advisory said. “Infection and distribution carried out manually by the attackers.”

In September, the Port of San Diego was hit by a similar attack. That attack came two months after a strike at the Port of Long Beach. It is unclear whether the attacks were related or if the culprits demanded ransom in any of the incidents.


The attack seemed to have begun late Thursday night and by Friday had spread to crucial areas needed to publish the paper.

The computer problem shut down a number of crucial software systems that store news stories, photographs and administrative information, and made it difficult to create the plates used to print the papers at The Times’ downtown plant.

“We are trying to do work-arounds so we can get pages out. It’s all in production. We need the plates to start the presses. That’s the bottleneck,” Director of Distribution Joe Robidoux said.

A note to our readers: Major computer breakdown disrupts printing and delivery »


“We apologize to our customers for this inconvenience. Thank you for your patience and support as we respond to this ongoing matter,” The Times said in a statement.

Robidoux said he expects the majority of Los Angeles Times subscribers will receive their paper Saturday, however delivery will be late. For print subscribers that did not receive Saturday’s paper, they will receive the paper with their regularly scheduled delivery of the Sunday edition.

It was unclear whether the company has been in contact with law enforcement regarding the suspected attack. An FBI spokeswoman was not immediately aware if the incident had been reported to her agency.

The problem caused widespread issues for Sun Sentinel readers in South Florida, one of Tribune Publishing’s major markets. The paper told readers that it had been “crippled this weekend by a computer virus that shut down production and hampered phone lines,” according to a story on its website.


The problem caused widespread confusion, the paper noted, because subscribers who called the newspaper’s offices on Saturday morning were “told, incorrectly, that the numbers were not in service.”

New York Times and Palm Beach Post readers in South Florida also failed to receive their Saturday editions because the Sun Sentinel also prints those newspapers. The Sun Sentinel told readers that they would receive their Saturday issue along with their Sunday papers. The Orlando Sentinel subscribers received their papers on time, according to a Tribune Publishing executive.

The Ventura County Star, owned by Gannett Co. Inc., said it was also affected.

Experts said holidays are “a well-known time for mischief” by digital troublemakers because organizations are more thinly staffed


“Usually when someone tries to disrupt a significant digital resource like a newspaper, you’re looking at an experienced and sophisticated hacker,” said Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group.

Malware has, over time, become more sophisticated and coordinated, involving more planning by networks of hackers who infiltrate a system over time, she said.

“Modern malware is all about the long game,” Dixon said. “It’s serious attacks, not small stuff anymore. When people think of malware, the impression may be, ‘It’s a little program that runs on my computer,’” Dixon said.

Today, “malware can root into the deepest systems and disrupt very significant aspects of those systems.”


Malware attacks are extremely common, affecting millions of computers in homes, offices and other organizations every day, said Salim Neino, CEO of the company Kryptos Logic.

In some cases, dubbed “ransomware,” the attackers disable the system and demand money, said Neino, whose company tackled a major ransomware attack called WannaCry last year. In other instances, the goal is simply to disrupt or “break stuff” by wiping systems, Neino said.

Malware has also been used to quietly infect computers and then sell access to other cybercriminals who can steal banking credentials or exploit other valuable information, Neino said. In many cases, the attackers have been all but impossible to track digitally, although the federal government has, on some occasions, been able to catch them, he added.

Neino said that in the absence of more information, he could not comment specifically on the attack on the newspapers’ system. However, he said that in general, computer systems used for manufacturing tend to be outdated and more vulnerable because they are used nonstop and updated less frequently than, say, devices issued to company employees.


Neino said that to avoid the most common attacks, the average person using a computer at home should make sure that they have up-to-date antivirus software and avoid opening any unfamiliar programs.

The Times and the San Diego paper became aware of the problem near midnight on Thursday. Programmers worked to isolate the bug, which Tribune Publishing identified as a malware attack, but at every turn the programmers ran into additional issues trying to access a myriad of files, including advertisements that needed to be added to the pages or paid obituaries.

After identifying the server outage as a virus, technology teams made progress Friday quarantining it and bringing back servers, but some of their security patches didn’t hold and the virus began to reinfect the network, impacting a series of servers used for news production and manufacturing processes.

By late Friday, the attack was hindering the transmission of pages from offices across Southern California to printing presses as publication deadlines approached.


At one point, Times staffers were making contingency plans to hand-deliver pages from the editorial offices in El Segundo to its Olympic printing plant in downtown Los Angeles. Working through the problems created a logjam at the printing press. And the resulting cascade of delays pushed back printing and delivery.

San Diego was particularly hard hit by the problem, in large part because of the paper’s position in the press run. Between 85% and 90% of the Saturday edition of the Union-Tribune did not reach subscribers on Saturday morning, said Jeff Light, publisher and editor of the San Diego Union-Tribune.

“Papers that should have arrived in San Diego around 3 a.m. to 4 a.m. instead arrived at 7 a.m. and 8 a.m.” Light said. Because the newspaper relies on independent contractors to deliver the paper to neighborhoods, many of those people were not available later in the day to do the deliveries.

The first signs of trouble at the Union-Tribune came late Thursday night when sports editors tried to send information, via digital files, to the plate-making facility. But those digital files which contain information that ultimately becomes the pages of the newspaper would not transmit to the plate-making process. Editors seemed to be locked out of the system, having to perform work-arounds.


“People saw pretty quickly that this was a significant problem,” Light said.

tony.barboza@latimes.com