Qilin ransomware claims attack at Lee Enterprises, leaks stolen data

The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company.

The threat actors have now threatened to leak all the allegedly stolen data on March 5, 2025, unless a ransom demand is paid.

Lee Enterprises is a US-based media company that owns and operates over 77 daily newspapers, 350 publications, digital media platforms, and marketing services. The company’s primary focus is local news and advertising, with its digital audience reaches tens of millions monthly.

In a filing with the U.S. Securities and Exchange Commission (SEC) earlier this month, the company disclosed that it had suffered a cyberattack on February 3, 2025, causing significant operational disruptions.

BleepingComputer learned that the outage caused significant problems, such as losing access to internal systems and cloud storage, and corporate VPNs not working.

A week later, Lee Enterprises submitted a new filing with the SEC that specified that the hackers “encrypted critical applications and exfiltrated certain files,” indicating they got hit by ransomware.

Today, Qilin ransomware added Lee Enterprises to its dark web extortion site, sharing samples of the allegedly stolen data, including government ID scans, non-disclosure agreements, financial spreadsheets, contracts/agreements, and other confidential documents allegedly stolen from the firm.

The ransomware actors claimed to have stolen 120,000 files totaling 350GB in size and threatened to release it all on March 5.

BleepingComputer contacted Lee Enterprises to learn if the stolen data belonged to them, but a comment wasn’t immediately available.

Qilin ransomware evolution

Qilin is not one of the most prolific ransomware gangs but has come a long way since it launched in August 2022 under the name “Agenda.”

Over the years that followed, the cybercriminals claimed hundreds of victims, with some notable cases including automotive giant Yangfeng, Australia’s Court Services Victoria, and several major NHS hospitals in London.

In terms of its technical evolution, Qilin introduced a Linux (VMware ESXi) variant in December 2023, started deploying a custom Chrome credentials stealer in August 2024, and introduced a Rust-based data locker with stronger encryption and better evasion last October.

Last year, Microsoft published a report stating that the notorious members of the ‘Scattered Spider’ hacker collective had begun to use Qilin ransomware in attacks.