The Lee Enterprises attack that caused disruptions on February 3 has been linked to the Qilin ransomware group, which has released samples of data they claim were stolen from the enterprise. The ransomware actors have now threatened to release all of the allegedly stolen material unless a ransom demand is fulfilled.
The US-based media firm Lee Enterprises owns and runs 350 magazines, 77 daily newspapers, digital media platforms, and marketing services. The company's internet viewership reaches tens of millions each month, and its main concentration is local news and advertising.
In a report with the Securities and Exchange Commission (SEC) earlier this month, the company disclosed that it was subjected to a cyberattack on February 3, 2025, resulting in major operational disruption. Threat analysts discovered that the outage created serious issues, including lost access to internal systems and cloud storage, as well as non-functioning corporate VPNs.
A week later, Lee Enterprises filed a new statement with the SEC, stating that the attackers "encrypted critical applications and exfiltrated certain files," implying that they had been targeted by ransomware.
Earlier this week, Qilin ransomware added Lee Enterprises to its dark web extortion site, publishing samples of allegedly stolen data such as government ID scans, non-disclosure agreements, financial spreadsheets, contracts/agreements, and other private papers reportedly stolen from the company.
Evolution of Qilin ransomware
Despite not being one of the most active ransomware groups, Qilin has advanced significantly since being introduced in August 2022 under the alias "Agenda.”
In the years that followed, the cybercriminals claimed hundreds of victims, with prominent examples including automotive manufacturer Yangfeng, Australia's Court Services Victoria, and many major NHS hospitals in London.
In terms of technical evolution, Qilin delivered a Linux (VMware ESXi) variation in December 2023, began deploying a custom Chrome credentials stealer in August 2024, and launched a Rust-based data locker with stronger encryption and better evasion in October.
Microsoft released a report last year claiming that the infamous members of the hacking group known as "Scattered Spider" had started using the Qilin ransomware in their attacks.
