Airport chaos highlights rise in high-profile ransomware attacks, cyber experts say

By James Pearson

LONDON (GWN) -Cybercriminals are taking larger dangers by hitting high-profile targets to get larger payoffs and increase their online reputational clout, cybersecurity experts said, after a weekend hack crippled airport check-in systems across Europe and stranded hundreds of passengers.

The European Union’s cybersecurity company ENISA confirmed on Monday that the hack on Collins Aerospace, owned by RTX, was a ransomware assault, but didn’t say where the assault originated from. The outage, which hit check-in and baggage drop providers, has affected dozens of flights since Friday.

“Broadly, the majority of ransomware activity is still geared towards extortion through data encryption and theft,” said Rafe Pilling, Director of Threat Intelligence at Sophos, a British cybersecurity firm.

“The subset of attacks deliberately engineered for maximum disruption, often by Western-based groups, are the outliers, but they are becoming more visible and more ambitious,” he added.

It was not clear which group was behind the hack. Ransomware gangs routinely publicise assaults and leak stolen data on darkish web “leak sites,” but web sites that monitor those portals had not, as of Monday, detected any group claiming Collins Aerospace, or RTX, as a goal.

Ransomware is malicious software program used by cybercriminals to encrypt a company’s data and demand fee for its release. They usually operate in the shadows, and many strive to keep away from targets which could earn them undesirable consideration from law enforcement companies.

Other teams, however, have gotten more brazen in the sort of targets they select, cybersecurity experts said.

In April, a group of hackers dubbed Scattered Spider was widely reported to be behind an assault that crippled British retailer Marks & Spencer, stopping one of the best-known names in British retailing from taking online orders for weeks.

Last Thursday, Britain’s National Crime Agency charged two youngsters over a 2024 cyberattack on London’s Transport for London, which it said precipitated “significant disruption and millions in losses”.

The NCA said investigators believed the TfL assault was carried out by members of Scattered Spider.

The FBI has said Scattered Spider was concerned with roughly 120 community intrusions, and has earned around $115 million in ransom funds.

“It’s clear from the number of recent cyberattacks and their impact that this is a problem that will grow, possibly rapidly, until software developers get much better at writing secure software and company IT staff get much better at evaluating the security of software their company choses to purchase or to use remotely,” said Martyn Thomas, Emeritus Professor of IT at Gresham College, London.

“We have been fortunate so far, as the motivation of cyber criminals has been disruption or financial gain,” Thomas said. “If they have been to resolve to trigger severe injury or many deaths, the same assault methods may very well be used on vital systems in healthcare or major infrastructure.”

One potential factor adding to the rise in higher profile and more criminally risky ransomware targets is the pursuit of reputation within criminal circles: The bigger the target, the more online clout cybercriminals have with other hackers.

“A small but decided set of largely Western-based cybercriminals are honing their abilities and changing into emboldened by their past success and the success of others,” said Pilling at Sophos.

“Their motivation is not only financial though and pulling off a high-impact breach also brings social standing and credibility within their peer networks”.

(Reporting by James Pearson in London. Editing by Jane Merriman)