Amedia ransomware attack
A ransomware attack encrypted the central systems of Amedia, Norway's largest local-newspaper group, halting presses and disrupting subscription and advertising systems for more than 70 titles serving around 2 million readers. Amedia refused to pay.
- Victim
- Amedia
- users
- 2.0M
On the night of 27โ28 December 2021, a ransomware attack struck Amedia, Norway's largest publisher of local newspapers, encrypting its central IT systems and bringing newspaper production to a halt. With more than 70 titles serving roughly two million readers, the attack instantly became one of the most disruptive cyber incidents ever to hit the Norwegian press.
What happened
The attackers deployed ransomware that encrypted Amedia's central information systems โ the platforms responsible for producing newspapers, managing advertising, and handling subscriptions. When those systems went down, Amedia was unable to print most of its papers. The company managed to produce roughly 20 newspapers through improvised, alternative workflows, but the majority could not go to print on schedule.
Security researchers reported that the PrintNightmare vulnerability (CVE-2021-34527), a critical Windows Print Spooler remote-code-execution flaw disclosed earlier in 2021, was a suspected entry vector. The Vice Society ransomware gang โ known for targeting organizations slow to patch PrintNightmare โ was reported as the likely perpetrator.
Data exposure
Amedia's central systems stored sensitive personal data on both subscribers and employees. Subscriber records included names, addresses, mobile numbers, email addresses, and subscription history; employee data included employment agreements, social-security (national-identity) numbers, and salary information. Amedia warned of the risk that this data had been accessed, while continuing to investigate the full scope.
Response
Amedia took a firm public stance: it stated it had no intention of paying any ransom and handed the attackers' ransom note to the police. The company prioritized rebuilding clean systems from backups and restoring publishing capacity title by title over the following days.
Why it matters
The Amedia attack underscored the press-freedom dimension of ransomware: by paralyzing the production systems of a national newspaper group, attackers can silence dozens of local outlets at once, degrading the public's access to information. It also reinforced the danger of unpatched commodity vulnerabilities like PrintNightmare โ a flaw with a public fix โ being weaponized against media infrastructure. Amedia's refusal to pay, paired with a backup-driven recovery, became a frequently cited example of disciplined ransomware response in the Nordic media sector.
Timeline
Overnight, attackers deploy ransomware that encrypts Amedia's central information systems.
Amedia discovers the attack; systems for newspaper production, advertising and subscription management stop functioning, halting the presses.
Amedia establishes alternative workflows to produce roughly 20 of its newspapers; most other titles cannot be printed.
Amedia confirms it has no intention of paying the ransom and shares the ransom note with police.
The Vice Society ransomware gang is reported as the likely actor; the PrintNightmare vulnerability is suspected as an entry vector.
Sources
- bankinfosecurity.comhttps://www.bankinfosecurity.com/ransomware-attack-affects-newspaper-publishing-in-norway-a-18221
- securityweek.comhttps://www.securityweek.com/norwegian-media-firm-amedia-suffers-disruption-due-cyberattack/
- securityaffairs.comhttps://securityaffairs.com/126130/hacking/amedia-cyberattack.html
- cpomagazine.comhttps://www.cpomagazine.com/cyber-security/norwegian-media-company-amedia-suffered-a-serious-cyber-attack-that-left-newspapers-unprinted/
- siliconangle.comhttps://siliconangle.com/2021/12/30/vice-society-hacks-norwegian-newspaper-takes-credit-spar-attack/