The notorious Qilin ransomware group has claimed responsibility for the Lee Enterprises ransomware attack and leaked data samples as proof. The group also threatened to publish all the stolen data unless a ransom was paid by March 5, 2025.
The Davenport, Iowa-based media colossus publishes over 77 daily newspapers and more than 350 weekly publications in over 25 states. It also operates digital media platforms with over 44 million daily visitors and marketing solutions focusing on local advertising.
In a regulatory filing with the U.S. Securities and Exchange Commission (SEC), Lee Enterprises said it suffered a technology outage due to a cyber incident on February 3, 2025.
The media giant said it launched an investigation to assess the potential impacts of the cyber incident on operations and finances although it did not expect any material impacts.
Lee Enterprises confirms ransomware attack
A subsequent SEC filing says Lee Enterprises activated cyber incident protocols and formed a response team involving internal and external cybersecurity experts.
The team determined that a threat actor accessed the company’s network, encrypted critical applications, and exfiltrated, thus confirming a ransomware attack.
“Preliminary investigations indicate that threat actors unlawfully accessed the Company’s network, encrypted critical applications, and exfiltrated certain files,” the company stated.
The ransomware attack disrupted billing operations, collections, and vendor payments. It also caused delays in the distribution of print publications and partially affected online operations.
By February 12, 2025, normal distribution had resumed although weekly and ancillary products, which account for five per cent of the company’s operating revenues, had not been restored.
“The Company anticipates a phased recovery over the next several weeks,” Lee Enterprises stated.
However, Lee Enterprises could not determine whether the ransomware attack leaked sensitive data or personally identifiable information.
“At this time, no conclusive evidence has been identified, but the investigation remains ongoing,” it said.
Qilin cyber gang claims Lee Enterprises ransomware attack
Meanwhile, the Qilin ransomware gang has taken responsibility for the Lee Enterprises ransomware attack and claims it stole 350 GB of data containing 120,000 files.
Details allegedly leaked include financial spreadsheets, scans of passports and driver’s licenses, non-disclosure agreements, business contracts and agreements, and investor records.
The ransomware gang also claims it obtained secret documents containing questionable financial arrangements, payments to journalists and publishers, funding for tailored news stories, and methods of obtaining insider information.
Qilin threatened to publish the stolen files that would allegedly “shed light” on Lee Enterprises, suggesting that it had obtained damaging information during the attack.
Russian-linked Qilin ransomware emerged in October 2022 and has claimed over 300 publicly disclosed victims. However, the number of victims is likely higher than reported as some might have paid a ransom and thus not publicly disclosed.
“Qilin, also known as Agenda, is a Russia-based hacking group that mainly targets victims through phishing emails to spread its ransomware,” explained Paul Bischoff, Consumer Privacy Advocate at Comparitech. “It launched in August 2022 and runs a ransomware-as-a-service business in which affiliates pay to use Qilin’s malware to launch attacks and collect ransoms.”
“Since it started, Qilin has claimed 47 confirmed ransomware attacks compromising 1.5 million records. Also in 2025, Qilin has claimed responsibility for breaches at the city of West Haven, CT; the German Bishops’ Conference; and the Palau Ministry of Health and Human Services,” added Bischoff. “Qilin claimed another 56 unconfirmed attacks so far this year that haven’t been acknowledged by the targeted organizations.”
Other notable Qilin ransomware victims include several NHS hospitals in the UK, Australia’s Court Services in Victoria, and Chinese automotive giant Yangfeng.
In December 2023, Qilin introduced the VMware ESXi encryptor, a Chrome infostealer in August 2024, and a Rust-based encryptor in October 2024. In the second quarter of 2024, Microsoft also observed other ransomware groups such as Octo Tempest using Qilin ransomware in their attacks.
Lee Enterprises has also suffered cyber attacks in the past. In 2020, Iranian hackers breached the media just before the presidential elections to spread disinformation.
