Lee Enterprises, a major US media conglomerate, has confirmed a February 2025 ransomware attack compromised personal data of 39,000 individuals. The Qilin ransomware group, linked to North Korean threat actors, executed the attack using VMware ESXi encryptors and Rust-based malware, disrupting operations across 72 newspapers and 350+ publications for three weeks1.
Attack Timeline and Technical Details
The breach began on February 10, 2025, when attackers gained access to Lee Enterprises’ network through unpatched VMware ESXi systems. Security researchers identified the intrusion when billing systems failed and digital newspaper access became intermittent. Qilin operators deployed custom ESXi encryptors targeting virtual machines, while parallel Rust-based malware exfiltrated 350GB of data including financial records and passport scans2.
National CIO Review reported the attack caused a 5% revenue loss due to disrupted billing systems, forcing temporary shutdowns of print editions. Lee Enterprises’ SEC filing confirmed the material financial impact, though cybersecurity insurance covered response costs3. The ransomware group leaked samples of stolen data on March 1, 2025, including employee HR records and subscriber payment details.
Qilin Ransomware Tactics
Analysis by CPO Magazine revealed Qilin’s attack chain:
- Initial access via phishing emails with malicious Office documents
- Lateral movement using compromised domain admin credentials
- Data exfiltration through encrypted TLS tunnels to bulletproof hosting providers
- Deployment of Rust-based payloads with process hollowing techniques
Security Affairs researchers linked Qilin to Moonstone APT, a North Korean subgroup that previously targeted financial institutions4. The group’s VMware ESXi encryptor shares code similarities with earlier attacks against London hospitals in 2024 that affected 900,000 patients5.
Media Sector Vulnerabilities
This attack continues a pattern of ransomware targeting news organizations. In 2021, Norway’s Amedia suffered an attack that halted 78 newspapers, while The Guardian experienced a 2022 breach exposing staff data. Media companies present attractive targets due to time-sensitive operations and public trust implications6.
Lee Enterprises’ infrastructure audit revealed several security gaps:
| Vulnerability | Impact |
|---|---|
| Unpatched VMware ESXi (CVE-2024-37085) | Allowed initial compromise |
| Lack of network segmentation | Enabled lateral movement |
| Cleartext credential storage | Facilitated privilege escalation |
Mitigation Recommendations
For organizations with similar infrastructure:
- Patch VMware ESXi systems immediately, prioritizing CVE-2024-37085
- Implement network segmentation between editorial and billing systems
- Deploy Rust-specific malware detection rules focusing on process injection patterns
- Monitor for Qilin’s known C2 domains (updated weekly in Threat Intelligence reports)
Security Affairs recommends media companies conduct tabletop exercises simulating ransomware attacks on deadline-driven operations. The incident highlights the need for offline backup procedures that can sustain multi-week outages7.
Broader Implications
The Lee Enterprises attack demonstrates North Korean groups’ evolving ransomware tactics. Unlike previous financially-motivated attacks, this operation combined data theft with disruptive encryption, suggesting dual objectives of revenue generation and potential information operations against media outlets.
Recent CISA advisories have added several VMware vulnerabilities to the Known Exploited Vulnerabilities catalog, mandating federal agencies to patch them within strict deadlines8. Private sector organizations should treat these as equally critical.
As of June 2025, Qilin remains active with new attacks reported against European publishing houses. The group has updated its encryptor to bypass recent VMware patches, underscoring the need for defense-in-depth strategies beyond vendor updates.
References
- “Media giant Lee Enterprises confirms cyberattack,” TechCrunch, Feb. 10, 2025. [Online]. Available: https://techcrunch.com/2025/02/10/media-giant-lee-enterprises-confirms-cyberattack
- “Media giant Lee Enterprises confirms ransomware attack, Qilin takes responsibility,” CPO Magazine, Mar. 3, 2025. [Online]. Available: https://www.cpomagazine.com/cyber-security/media-giant-lee-enterprises-confirms-ransomware-attack-qilin-takes-responsibility
- “72 newspapers shut down in a recent ransomware attack,” National CIO Review, Feb. 15, 2025. [Online]. Available: https://nationalcioreview.com/articles-insights/extra-bytes/72-newspapers-shut-down-in-a-recent-ransomware-attack
- “North Korea-linked APT Moonstone used Qilin ransomware,” Security Affairs, Mar. 10, 2025. [Online]. Available: https://securityaffairs.com/175178/apt/north-korea-linked-apt-moonstone-used-qilin-ransomware.html
- “Qilin attack on Synnovis impacted 900,000 patients,” Security Affairs, Jun. 5, 2024. [Online]. Available: https://securityaffairs.com/168480/data-breach/qilin-attack-on-synnovis-impacted-900000-patients
- “Cyberattack on Lee Enterprises highlights news media vulnerabilities,” The Record, Feb. 12, 2025. [Online]. Available: https://therecord.media/cyberattack-lee-enterprises-news-media
- “Ransomware gangs exploit CVE-2024-37085 in VMware ESXi,” Security Affairs, Jan. 15, 2025. [Online]. Available: https://securityaffairs.com/166295/cyber-crime/ransomware-gangs-exploit-cve-2024-37085-vmware-esxi.html
- “U.S. CISA adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog,” Security Affairs, May 22, 2025. [Online]. Available: https://securityaffairs.com/177218/hacking/u-s-cisa-adds-sap-netweaver-flaw-to-its-known-exploited-vulnerabilities-catalog
