HQ/EMEAFind out how we can help your business
The Qilin ransomware gang has claimed responsibility for a cyberattack targeting Lee Enterprises, a well-known US-based media company. The attack, which occurred on February 3, 2025, caused significant operational disruptions across the company’s systems. Qilin ransomware has now published samples of the allegedly stolen data online and has threatened to release the full collection on March 5, 2025, unless a ransom is paid.
Lee Enterprises owns and operates over 77 daily newspapers and 350 publications, in addition to its digital media platforms and marketing services. With a strong focus on local news and advertising, the company reaches tens of millions of digital readers every month.
Following the attack, Lee Enterprises filed a disclosure with the U.S. Securities and Exchange Commission (SEC), confirming that the cyber incident led to widespread disruption. Employees reportedly lost access to internal systems, cloud storage, and corporate VPNs, severely affecting business operations. A second filing confirmed that the attackers had encrypted critical applications and exfiltrated sensitive files, a common sign of a Qilin ransomware incident.
On its dark web extortion site, the Qilin ransomware group has now shared samples of the allegedly stolen data.
The leaked files include government ID scans, non-disclosure agreements, financial spreadsheets, contracts, and other confidential documents belonging to Lee Enterprises. The cybercriminals claim to have stolen a total of 120,000 files, amounting to 350GB of data, all of which could be publicly released if the company does not meet their ransom demands.
When approached for comment, Lee Enterprises confirmed awareness of the claims and stated they are actively investigating the matter.
Although Qilin ransomware is not considered one of the most prolific ransomware gangs, it has steadily grown in sophistication since its initial appearance in August 2022, when it was first known as Agenda. The group has claimed numerous attacks over the years, including incidents targeting automotive giant Yangfeng, Australia’s Court Services Victoria, and major NHS hospitals in London.
Qilin ransomware has also demonstrated technical evolution, adding a Linux (VMware ESXi) variant in December 2023, followed by a custom Chrome credentials stealer in August 2024. By October 2024, the group introduced a Rust-based data locker designed to improve encryption strength and evade detection.
In 2024, Microsoft also reported that members of the notorious Scattered Spider hacking collective had begun using Qilin ransomware in their cyberattacks, further cementing its presence in the ransomware threat landscape.
