What is Ryuk, the malware believed to have hit the Los Angeles Times?

Ryuk is the malware program that is believed to have been used in an attack on newspapers nationwide, including the Los Angeles Times.
(Richard Vogel / Associated Press)

Malware comes in many forms.

Bad links can lead to obnoxious adware that unleashes a plague of pop-ups. Nefarious attachments can hijack your processor for a bitcoin-mining botnet.

Ryuk, a malware program believed to have been used in an attack this weekend that hobbled newspapers nationwide, including the Los Angeles Times, is a sophisticated twist on an extortionate classic.

Once Ryuk gets into a network, it automatically spreads from computer to computer, node to node, encrypting important files along the way with an unbreakable code. Try to access the encrypted data, and the malware presents a ransom note: deposit bitcoin into an anonymous wallet and receive a key to decrypt your entire system. Refuse to pay, and the files remain locked for good.


This piece of ransomware managed to throw a monkey wrench into Tribune Publishing newspaper operations, which under-gird its printing plants as well as those of The Times and the San Diego Union-Tribune. The Times and Union-Tribune are no longer owned by Tribune Publishing — they were purchased by Dr. Patrick Soon-Shiong in June — but still share many systems.

The problem surfaced near midnight Thursday, when sports editors at the Union-Tribune struggled to transmit finished pages to the printing facility. It spread rapidly over the following day, impeding distribution of the Saturday editions of The Times and Union-Tribune, as well as papers in Florida, Chicago and Connecticut and the West Coast editions of the Wall Street Journal and New York Times, which are printed in downtown Los Angeles.

By Monday, problems in production and delivery were largely resolved, said Marisa Kollias, spokeswoman for Tribune Publishing.

A screenshot of affected company files obtained by The Times shows a ransom note titled RyukReadMe that is similar to messages reported in other Ryuk incidents. No ransom amount was specified. The company would not confirm that it had been affected by Ryuk in particular or a ransomware attack in general.

Such attacks are increasingly common. In 2016, devices and medical records at Hollywood Presbyterian Medical Center were locked down until the hospital paid a $17,000 ransom in bitcoin. In May 2017, the WannaCry ransomware spread to an estimated 200,000 computers in 150 countries, locking down the networks of companies such as Boeing and Honda, and triggering a crisis in the United Kingdom when it hit the National Health Service. Similar threats targeted the Port of Long Beach in July and the Port of San Diego in September.

Ryuk itself appeared on the radar of cybersecurity experts in August, when the security researchers MalwareHunterTeam reported five initial victims. An analysis by Check Point Research published later that month estimated that it had already netted the attackers more than $640,000, and that much of its code matched that of a known ransomware program called Hermes, which has been linked to the North Korean hacking group that many believe was behind the WannaCry attack.


Despite the similarity in the code, determining the origin of an attack is exceedingly difficult, as is establishing any links to state actors.

“Really the only way is, once you go in and raid someone and knock down their door and seize their computers, you find the code on their computers,” said Clifford Neuman, director of USC’s Center for Computer System Security. “That’s the only way to absolutely attribute.”

The name Ryuk appears to be a reference to a character in the popular anime and manga series “Death Note.” In the comics, Ryuk is a demon of death who, bored with his immortality, decides to introduce into the world a notebook that allows its finder to kill anyone by writing their name.

Most ransomware attacks come from programs that target a vast number of individuals with infected links or attachments, and then ask for a small amount of money to unlock the computers, said Ben Herzog, a security researcher with Check Point.

Ryuk, he said, is different.

“Commodity ransomware like GandCrab has a large affiliate program, many possible infection vectors, and a constant drip of victims and ransom payments,” Herzog wrote in an email. “Ryuk, in contrast, is a relatively ‘artisanal’ malware,” which is used to target specific companies with little tolerance for disruption such as hospitals, ports, and, now, apparently newspapers.

Since emerging as a mass phenomenon over the last few years, ransomware and those who deploy it have been locked in an arms race with security systems and researchers. Both have grown more sophisticated as a result.


“Early [attacks] were very basic, and just encrypted whatever files the person had access to,” Neuman said.

Newer models can exploit known security weaknesses to jump from user to user, accessing more secure files along the way.

The Check Point security analysis did not find that Ryuk had a method for automatically spreading among a network, which Itay Cohen, another security researcher with Check Point, said might indicate “prior, manual work that was done by the attackers in order to take these networks as a hostage.”

Follow me on Twitter: @samaugustdean

Times staff writer Meg James contributed to this report