A Russia-linked ransomware group known as Termite posted a claim on its dark web leak site saying it stole sensitive files from the News-Press & Gazette Company (NPG). The leak post includes images the gang says show employee contact spreadsheets and the U.S. passport of an NPG principal. Cybernews researchers reviewed the dark web material and described the contents as a mix of personal and corporate records.
What Termite Posted on Its Dark Web Leak Site
Termite published a short announcement accompanied by a handful of screenshots that the gang says are samples of the stolen dataset. The post did not detail the full scope of the breach or list the exact systems accessed. Publishing proof images and warnings on leak sites is a common extortion tactic that aims to push victims into paying ransoms or negotiating for data nonpublication.
Sample Evidence Includes Passport Copy and Employee Contacts
Cybernews’ review of the posted material found a photo of what appears to be a U.S. passport belonging to a company principal and a spreadsheet that lists employee names, personal contact information and home addresses. Researchers cautioned that screenshots alone do not prove the full extent of access, but if authentic they indicate exposure of personally identifiable information for those listed.
Potential Risks for Employees and Corporate Operations
If the screenshots accurately reflect a larger dataset, the consequences could be serious. The combination of passport scans and home addresses raises the risk of identity theft, targeted phishing and financial fraud against affected staff and executives. Cybernews researchers also noted that the leak sample included files described as internal financial statements and corporate documents. Exposure of such material could harm competitive positioning and reveal strategic details about NPG operations.
What News-Press & Gazette Company Does and Its Scale
NPG is a family-owned media group headquartered in St. Joseph, Missouri, operated by the Bradley family. The company publishes daily and weekly newspapers across Missouri and Kansas and owns radio and television stations in multiple U.S. states, including California, Idaho, Oregon, Colorado, Arizona, Missouri and Texas. NPG’s broadcast portfolio serves English and Spanish audiences through affiliates such as ABC, CBS, FOX, NBC, CW, Telemundo and Azteca. Public estimates place the company’s annual revenue near $108.4 million and its workforce at more than 800 employees, underlining the potential reach of any data exposure.
Who Is the Termite Ransomware Gang and Past Activity
Termite first surfaced in late 2024 and has been active against a range of corporate and supply-chain targets. One notable incident attributed to Termite involved Blue Yonder, a supply chain vendor; that attack disrupted operations at national retail chains and forced manual processes for payroll and timekeeping. Cybernews’ dark web monitoring tool Ransomlooker reports Termite has claimed at least 23 victims over the last 12 months.
Security researchers have linked Termite stylistically and operationally to other organized ransomware operations. Some analysts suggest Termite may be an offshoot of older families such as Babuk, whose leaked code in 2021 inspired new strains. Dark web conversation and reporting by firms such as SOCradar also indicate forum speculation that Termite may share infrastructure or affiliations with other Russia-linked groups, including Cl0p, though definitive attribution is difficult.
Broader Context: Arrests and Ransomware Enforcement Actions
Law enforcement activity in recent years has altered the ransomware landscape. In late 2024 authorities arrested Mikhail Pavlovich Matveev (alias Wazawaka), charging him with deploying multiple ransomware families including LockBit, Babuk and Hive. Prosecutors say such operations targeted thousands of victims across the U.S. and globally. While arrests remove specific actors, researchers warn copycat groups and new affiliates continue to emerge and reuse tactics, including public leak sites and staged proof images.
Investigation Status and Company Outreach
Cybernews contacted NPG seeking comment but had not received a reply at the time of reporting. The dark web posting remains the principal source for the claim and the screenshots. Independent researchers urge caution in interpreting partial samples while continuing to monitor for additional data disclosures or official statements. Any confirmed breach that exposes passports and employee home details would typically trigger internal incident response, notifications to affected individuals and engagement with law enforcement and regulators.
What Enterprises and Stakeholders Should Note From This Incident
This NPG allegation illustrates a pattern now familiar to corporate cybersecurity teams: threat actors target broadly used vendors and operators, post limited evidence to pressure victims, and leverage exposed identifiers to enable downstream fraud. The mix of personal identifiers and alleged corporate files shown in the Termite samples raises both privacy risks for staff and strategic risks for the company.
