Skip to main content
close search
site logo

Lee Enterprises investigating ransomware claim, data leak threat

The newspaper chain previously confirmed the attack would likely have a material impact on its financial condition.

Published March 3, 2025
David Jones's headshot
Reporter
The St. Louis cityscape of buildings, bridges and Gateway Arch are shown from afar.
The St. Louis cityscape of buildings, bridges and Gateway Arch along the shores of the Mississippi River. Lee Enterprises publishes newspapers in markets across the U.S., including St. Louis. Art Wager via Getty Images

Lee Enterprises said it is investigating a claim from the Qilin ransomware group that it was behind a massive breach of the newspaper chain’s network in early February. 

The threat group claims to have stolen 350 GB of data during an early February attack, according to researchers at SentinelOne. The group threatened to begin leaking data on March 5, but the specific ransom demand is not immediately known. 

“We are aware of the claims and are currently investigating them,” a spokesperson for Lee Enterprises said via email.

Lee Enterprises previously confirmed in a regulatory filing that hackers encrypted critical applications and stole data in a Feb. 3 attack. The company warned the attack would likely have a material impact on its financial results and operations

The attack disrupted print distribution, billing, payments and other aspects of the publishing company. The firm operates in 72 markets across 25 U.S. states, and is the publisher of major regional newspapers such as the Omaha World-Herald, the St. Louis Post Dispatch and the Buffalo News. 

The company was forced to manually process transactions following the attack. 

Qilin, a ransomware as a service operation, emerged as a rebrand of the Agenda ransomware operation in 2022, according to Jim Walter, a threat researcher at SentinelOne. The group has about 60 alleged victims on its leak site. 

The group’s preferred method of attack is to abuse stolen or compromised credentials or gain entry through spearphishing. 

Qilin has payloads for Linux and Windows systems and frequently targets virtual/ESXi environments as well, according to Walter. 

The Lee Enterprises attack bears all the hallmarks of Qilin’s double extortion strategy, according to researchers at Darktrace. First, threat actors steal sensitive data and then encrypt what remains, thus creating multiple pressure points for payment. 

“What makes Qilin stand out isn't necessarily technical sophistication, but their patient, methodical approach,” Toby Lewis, head of threat analysis at Darktrace, said via email. “They conduct extensive reconnaissance, disguise their communications with encryption certificates to appear legitimate, and carefully choose exactly what to steal before launching the final attack.”

Filed Under: Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Whalebone Strengthens APAC Cybersecurity with New Major Telco Partners
From Whalebone
February 11, 2025
BeyondTrust Pathfinder Delivers a One-Platform Approach to Identity-Centric Security
From BeyondTrust
February 26, 2025
Whalebone Secures €13.35M in Funding to Accelerate Global Growth and Innovation
From Whalebone
February 18, 2025
DISA Data Breach Investigation
From Migliaccio & Rathod LLP
February 25, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.