Ransomware Attack Takes Down UK Airport’s Flight Information Screens

Posted by Geraldine Hunt on Wed, Sep 19th, 2018

Ransomware isn’t new, it has wreaked havoc in enterprises from the largest of corporations to the smallest SOHO since the mid-2000s. There were more than 7,600 ransomware attacks reported to the Internet Crime Complaint Center (IC3) between 2005 and 2017. Ransomware disrupted operations for up to weeks at a time for some of its victims and has cost organizations billions of dollars.  Ransomware is consistently mentioned as the #1 cybersecurity threat amongst industry leaders.  Just a year ago, it seemed as if the potential wrath of ransomware knew no bounds. 

However, the growing pervasiveness of ransomware has stagnated, if not receded in 2018.  According to Kaspersky, ransomware is no longer the #1 threat, having been replaced by cryptomining malware.  Bank Trojans have also recently eclipsed ransomware in malware occurrence.  No surprise, ransomware no longer garners the headlines it did just twelve months ago.  Ransomware may be down, but it is not out by any means.    

Ransomware Takes Down UK Airport

On September 14, 2018, ransomware struck the Bristol Airport, forcing airport employees to post flight arrival and departure schedules on posters and whiteboards as the attack took down internal communication throughout the airport.  Schedule alerts were regularly announced over the PA system over the course of two days as the airport’s IT staff worked to terminate the malware.  Fortunately, the attack was limited to the operational functions within the airport and did not impact flight operations so passengers were never at risk at any point. 

Earlier this week 380,000 passengers were affected by a British Airways hack. It’s believed hackers got past British Airways' Defenses because of code, found on the British Airways website. Although not ransomware it seems airlines and airports are easy targets for attackers.
 

A String of Summer Ransomware Attacks

These are but a few of the many attacks during that time.

• Global shipping giant, Cosco Shipping Lines was forced to shut down operations at several of its port locations throughout North, Central, and South America after ransomware took down its email and network telephone operations in those areas. Following the attack the company warned employees not to open suspicious emails, this was the entry point of the recent attack. It is believed that 93% of phishing emails are now ransomware. It’s not the first time a global shipping company fell victim to hackers, as last year Danish shipping company A.P. Moller-Maersk fell victim to the NotPetya malware strain.

• Wendell’s Furniture in Colchester lost access to its ordering system for several weeks after its servers were infected with the malicious malware.  Hackers succeeded in stealing sales info from the past 8 years including customer names, addresses, phone numbers, and email addresses. Wendell's ended up paying thousands of dollars to the hackers to retrieve data.

• A mattress retailer in Winnipeg, Canada was hit with ransomware that took down its servers, halting operations completely.  Best Sleep Centre negotiated the initial ransom of $6,000 down to $2,000.  The owner blames the attack on the lack of diligence to perform regular updates and says they have learned an expensive lesson.

The Importance of Backups:

None of these companies had backups in place and resorted to paying the hackers. The one certainty of ransomware is that maintaining a well-designed working backup solution will serve as an effective measure against the lasting effects of ransomware, no matter how it may evolve one day. To protect your data and recover from ransomware you need to have dependable worry-free backup system in place. The 3-2-1 rule is best practice for backup and recovery. Learn how the 3-2-1 backup approach works.

The Changing Face of Ransomware

Concerns over ransomware spiked last summer during the WannaCry and Locky attacks that took down enterprises worldwide. While the damage these outbreaks caused was unprecedented, the amount of money involved in terms of ransoms paid was negligible at best.  As a result, large-scale attacks have scaled down dramatically in the past twelve months.  However, that doesn’t mean ransomware is no longer a threat.  Instead, hackers have now changed their strategy, transitioning to more targeted attacks.  The ransoms have also been reduced to sums that are more realistic as well, which has increased the payout ratios of these types of attacks.  Because the attacks are highly targeted, there are far less headlines, yet the list of victims continues to grow.

When the FBI announced in late 2016 that ransomware was a billion dollar industry, it turned a lot of heads, including those of unethical experienced programmers, who began creating more complex malicious code that they could then sell on the darkweb to wannabe hackers lacking the coding skills to pull off their malicious endeavors.

The term, Ransomware as a Service (RaaS) was soon coined to describe what has now become a turnkey business for those willing to pay a few hundred bucks up front and share the ransoms they bring in.  This is a primary reason why the number of ransomware families have dropped but the number of variants has increased. 

Ransomware Attacks are Not Always Financially Motivated

Ransomware attacks are not always financially motivated.  Hackers are starting to use malware encryption payloads as a way to cover their tracks.  For instance, hackers will deploy a ransomware payload prior to depositing a rootkit or other malicious payload.  The ransomware deposit lies dormant unless the primary attack payload is discovered, upon which a ransomware attack is initiated in order to wipe the system and protect the code signatures.  It can also be used to wipe the evidence of a successful operation, thus destroying all traces of the attack.

While there may be few professional hackers implementing ransomware attacks currently, nation-state-sponsored attacks are on the rise according to Europol.  Just last week, the U.S. Justice Department charged a computer programmer working on behalf of the North Korean government with a number of attacks, including the WannaCry ransomware attack last year.