Cyble – Aviation Industry Facing Ransomware Headwinds
Category

The holiday season seems to be at an ebb for the Aviation Industry in Southeast Asia, as two low-cost carriers faced ransomware attacks this week.

Ransomware is a daunting threat that has loomed over strategic industries, including Aviation, in 2022. In our previous blog, we covered the emerging threats to the Aviation industry and predicted an increase in large-scale cyber-attacks on the sector.  

Malaysian airline attacked by Daixin Team Ransomware Group

On November 20, 2022, the ‘Daixin Team’ ransomware group claimed to infiltrate the networks of a Malaysia-based airline. The group allegedly stole 5 million passengers’ data, and airline employees’ personal and corporate information.  

‘Daixin Team’ ransomware group came into existence in June 2022 and has claimed responsibility for targeting 5 organizations so far. In the US, the group has primarily affected Healthcare organizations. A CISA advisory observes the group’s source code based on leaked Babuk Locker ransomware. The groups are understood to leverage initial access via vulnerable VPN servers as well as compromised credentials obtained through phishing emails and stealer malware.

Thai low-cost carrier attacked by ALPHVM Ransomware Group

On the very same day, the ALPHVM ransomware group, aka BlackCat, announced that they had compromised a Thailand-based airline operating in the domestic circuit. The group claimed to steal over 500GB of data from the impacted organization containing sensitive aviation operation documents, employees’ information, as well as finance and customer information.

Our ransomware threat monitoring data suggested that the ALPHVM, aka AlphaVM, has targeted nearly 200 organizations since its inception in late 2021. ALPHVM is a Rust language-based ransomware. They are known to gain access using previously compromised user credentials, and once malware establishes, it compromises Active Directory and administrator account for privilege escalation.

Portuguese Carrier attacked by Ragnar Locker Ransomware Group

Later in August 2022, a Portugal-based Airline suffered a ransomware attack by the Ragnar Locker ransomware group. The impact can be adjudged from the fact that the airline serves 87 destinations in 38 countries, mainly Europe, Africa, and South America.

In this incident, the ransomware group claimed to have stolen 581 GB of the company’s data, which contains more than 1.5 million customer information regarding commercial documents, the airline’s internal emails, and employees’ data.

Ragnar Locker Ransomware Group has been active since April 2020 and has targeted more than 64 organizations across various sectors, including Energy, Manufacturing, Financial Services, Government, and IT. Ragnar Locker ransomware group uses the ‘double extortion’ technique and Salsa20 encryption, and RSA-2048 to encrypt file keys.

Kuwait-based Airline attacked by LOCKBIT Ransomware Group

In June 2022, LockBit 2.0 ransomware group attacked an airline company based in Kuwait and leaked over 150GB of the company’s data. The impacted airline released a notice that their website and mobile application confirmed the claims of compromise. The data leaked by the ransomware group contains files pertaining to their Human Resources department, which contains information about the recruitment process and data related to former and incumbent employees.

Information regarding government policies and inspection reports was also leaked, containing highly confidential data related to aircraft components.

LockBit is one of the most notorious ransomware groups that has been evolving continuously since 2020 and is currently operating on its third version, dubbed ‘LockBit 3.0’. In 2021, the LockBit ransomware group compromised 474 organizations worldwide. So far, in 2022, there has been a significant increase in the count of impacted organizations to over 700, including those from critical sectors.

Impact of these attacks

Ransomware attacks left an immeasurable impact on the victim organizations, including their employees and customers. As mentioned above, customers’ and employees’ sensitive personal data was leaked in the attacks, which can be further utilized for Spear Phishing or targeted Phishing campaigns. Confidential documents of the impacted company can be utilized by TAs as well as business competitors, which leads the company to a significant financial and strategic loss. In case of further data leaks or supply attacks to clients/vendors of the impacted entity might lead to legal issues for them. There can be a fatal, life-threatening situation in case of any compromises with the servers related to flight or Air Traffic Control. Lastly, organizations face reputational loss across the industry sector.

Conclusion

The Aviation Industry has highly sensitive data, with very high revenue organizations and interdependent on various vital industries, making them more lucrative targets for cyber-criminals.

Ransomware attacks can lead to devastating effects as various human-life factors are also involved in the industry, which is the main reason why organizations related to the aviation industry should be extra careful regarding their digital infra.

Our Recommendations

Following essential cybersecurity best practices creates the first line of control against attackers. We recommend our readers follow best practices as given below:

  • Monitor incoming emails from suspicious and potentially malicious domains.
  • Back up data on different locations and implement Business Continuity Planning (BCP). Keep the Backup Servers isolated from the infrastructure, which helps fast data recovery.
  • Frequent Audits, Vulnerability Assessments, and Penetration Testing of organizational assets, including network and software.
  • Enforcement of VPN to safeguard endpoints.
  • Conduct frequent training on security awareness for the company’s employees to inform them about emerging threats.
  • Implementation of technology to understand the behavior of the ransomware-malware families and variants to block malicious payloads and counter potential attacks.

Daixin Team IOCs

File Hash
rclone-v1.59.2-windows-amd64git-log.txt 9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238
rclone-v1.59.2-windows-amd64rclone.1 19ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BD
rclone-v1.59.2-windows-amd64rclone.exe 54E3B5A2521A84741DC15810E6FED9D739EB8083CB1FE097CB98B345AF24E939
rclone-v1.59.2-windows-amd64README.html EC16E2DE3A55772F5DFAC8BF8F5A365600FAD40A244A574CBAB987515AA40CBF
rclone-v1.59.2-windows-amd64README.txt 475D6E80CF4EF70926A65DF5551F59E35B71A0E92F0FE4DD28559A9DEBA60C28

References

https://cyble.com/2022/08/26/aviation-travel-industry-recovering-from-covid-turbulence-grounded-by-cyberattacks/

https://www.cisa.gov/uscert/ncas/alerts/aa22-294a

Source: https://blog.cyble.com/2022/11/23/aviation-industry-facing-ransomware-headwinds/