Philadelphia skyline
Part of the Philadelphia skyline. Image: Trev Adams / Pexels

Ransomware gang pulls Philadelphia Inquirer listing after victim questions documents

A ransomware group removed its listing of The Philadelphia Inquirer on its darknet extortion site on Wednesday after the company cast doubts on the authenticity of documents the criminals provided for download.

On Tuesday, the Cuba ransomware gang — which has attacked at least 100 organizations globally and brought in more than $60 million as of last August, according to U.S. authorities — added the Inquirer to its website’s list of victims.

However, within 24 hours, that listing has been removed. While this normally occurs when victims make an extortion payment, or begin negotiating one, this listing disappeared following questions about whether the documents uploaded were actually from the cited victim.

Cuba claimed to have posted a trove of files stolen from the Inquirer, including "financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, source code.”

But the newspaper’s publisher said that the company had seen no evidence that the information was actually related to the newspaper, and a review of the documents by the paper's reporters didn't find anything that appeared to come from the company itself. The Record has contacted The Inquirer for comment.

While the ransomware gang's name and branding reference Cuba, there is no evidence that the Caribbean state has any connection to the criminals themselves.

Earlier this month, the Inquirer announced that it had detected "anomalous activity" that disrupted its publication of the Sunday print newspaper, although the company did not confirm whether the incident was caused by a cyberattack.

Reporters at the newspaper, which was first published in 1829 and has won 20 Pulitzer Prizes, said the episode raised questions about the company’s cybersecurity practices — highlighting that it “does not require multi factor authentication for many of its key systems.”

Researchers at Google and Ukraine's Computer Emergency Response Team believe that the criminals behind the ransomware may be connected to the Russian state, as they have been seen targeting government systems in Ukraine and Montenegro.

At the time, Google said the group, which previously appeared financially motivated, is now “behaving more similarly to an actor conducting operations for intelligence collection.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Alexander Martin

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.