Pierluigi Paganini March 03, 2025

The Qilin ransomware group claims responsibility for attacking the newspaper Lee Enterprises, stealing 350GB of data.

The Qilin ransomware group claimed responsibility for the recent cyberattack on Lee Enterprises, which impacted dozens of local newspapers.

Lee Enterprises, Inc. is a publicly traded American media company. It publishes 79 newspapers in 25 states, and more than 350 weekly, classified, and specialty publications.

The company reported to the SEC that a Feb. 3 cyberattack led to unauthorized access, file withdrawals, and encryption of critical applications. At least 79 newspapers faced publication disruptions, subscriber access issues, and disabled newsroom phones. After the cyber attack, many sites displayed maintenance notices.

“On February 3, 2025, Lee Enterprises, Inc. (“Lee” or the “Company”) experienced a systems outage caused by a cybersecurity attack. Upon discovery, Lee activated its incident response team, comprised of internal personnel and external cybersecurity experts retained to assist in addressing the incident.” reads the FORM 8-K filed with SEC. “Preliminary investigations indicate that threat actors unlawfully accessed the Company’s network, encrypted critical applications, and exfiltrated certain files. The Company is actively conducting forensic analysis to determine whether sensitive data or personally identifiable information (PII) was compromised. At this time, no conclusive evidence has been identified, but the investigation remains ongoing.”

On February 27, the Qilin ransomware group claimed responsibility for the Lee Enterprises cyberattack on its Tor leak site. The group claimed the theft of 350GB of data, including financial records, journalist payments, and insider news tactics. To prove the attack, the group published samples, such as ID scans, corporate documents, and spreadsheets.

The gang threatens to leak the stolen data on March 5.

“All data will be published on March 5, 2025. We are preparing to share sensitive data with the public that could shed new light on Lee Enterprises, a prominent newspaper publishing firm active across all U.S. states. The documents we hold about Lee Enterprises reveal details worth noting—investor records, financial arrangements that raise questions, payments to journalists and publishers, funding for tailored news stories, and approaches to obtaining insider information.” reads the message published by Qilin on its leak site. “This is a story that merits attention. Headquartered in Davenport, Iowa, and listed on Nasdaq under the ticker LEE, Lee Enterprises describes itself as a leading source of trusted local news and information, with robust digital platforms and innovative advertising solutions. By focusing on local audiences, they claim strong reader connections, stability amid economic shifts, and a top rank in digital marketing and content services. Yet, the information we’ve uncovered might offer a different perspective. Watch this space—Lee Enterprises is aware of what’s in play.”

Qilin is a Russian-speaking cybercrime group operating a Ransomware-as-a-Service (RaaS) model since 2022. Initially, Qilin’s ransomware was written in Go but transitioned to Rust in December 2022, enhancing its capabilities.

Qilin has targeted various sectors, including healthcare. Notably, in June 2024, an attack on the UK-based medical laboratory company Synnovis, which significantly disrupted operations across London hospitals.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Lee Enterprises)