Cyber Incident Victim: Ritzau
Date:
Nov 2020
Location:
Denmark
Summary
A Danish news agency suffered a ransomware attack that encrypted approximately one-quarter of its servers, disrupting editorial systems and forcing operations onto an emergency distribution system using live blogs. The agency refused to pay the ransom demanded by the attackers, described as a "very professional" group, and did not engage with the ransom note following advisory guidance. Technical recovery efforts involved restoring affected systems with support from the organization's IT department, specialists provided by its insurance company, and an external security firm. Normal operations were expected to resume within 24 hours, transitioning from emergency protocols back to standard news distribution channels. The incident caused significant operational limitations but did not halt news dissemination entirely.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the morning of November 24, 2020, Danish news agency Ritzau experienced a ransomware attack that disrupted its core operations. The attackers encrypted approximately one-quarter of the agency's network infrastructure, affecting over 100 servers and forcing the shutdown of editorial systems. This compromise prevented Ritzau from distributing news through its standard channels to major Danish media outlets, including television, radio, print, and digital platforms serving millions of consumers. The agency activated emergency protocols, implementing an alternative distribution method using six live blogs to maintain basic news dissemination. CEO Lars Vesterløkke characterized the intrusion as "very professional" but declined to identify the specific ransomware group responsible. Attackers left a ransom note with payment instructions, but Ritzau's leadership deliberately avoided accessing the full message following guidance from cybersecurity advisors, leaving the exact ransom demand undisclosed.
Ritzau's technical team initiated recovery efforts immediately after containment, working alongside specialists provided by their insurance provider and an external security firm contracted for incident response. Restoration focused on rebuilding encrypted systems rather than negotiating with attackers, with Vesterløkke publicly confirming the organization's refusal to pay any ransom. The agency projected full operational restoration within approximately 48 hours of the attack, aiming to transition from emergency live blogs back to standard news distribution channels by November 26. During the disruption period, Ritzau maintained limited news coverage while addressing infrastructure vulnerabilities exposed by the incident. No data theft or secondary exploitation claims emerged publicly during the confirmed recovery timeline outlined in official statements.