Cyber-attackers appear to be targeting air travel and the people who rely upon it
PA Images via Getty Images
An ongoing campaign of cyber-attacks appears to be targeting the travel industry, and air travel in particular. The criminals behind the “Sodinokibi” cyber-attacks don’t care about air travelers; instead they rely upon the threat of ongoing disruption to profit from their criminal endeavor.
Last year, the Federal Bureau of Investigation (FBI) warned organizations that ransomware remains a high-impact and ongoing cyber threat. That warning was proved to be correct when The City of New Orleans suffered a cybersecurity attack on December 13, 2019, serious enough for Mayor LaToya Cantrell to declare a state of emergency. The attack in question being a ransomware one. Now it has been confirmed that an upstate New York airport fell victim to a ransomware attack over Christmas, while the Travelex global foreign currency exchange is still being held to ransom by the same threat actors.
Albany International Airport ransomware attack
According to an Associated Press (AP) report, officials from the Albany County Airport Authority confirmed January 9 that the Christmas Day attack encrypted budget spreadsheets and other files, including those on backup servers. While it would appear that no financial traveler data was impacted, nor operations at Albany International Airport itself affected, a ransom was paid December 30. According to the AP report, the bitcoin ransom was “under six figures,” and within two hours, an encryption key made available to restore the data. Bleeping Computer reports that the attack originated through “the maintenance server of its managed service provider (MSP),” a relationship that has since been severed.
“Thanks to the fast action by our IT department, Airport operations during one of the busiest travel periods of the year were not impacted, and no passenger or airline data was acquired or accessed,” Albany International Airport CEO, Philip Calderone, said, “Within hours the Authority was able to resume all administrative functions with systems functioning as normal. We are grateful for the assistance provided by the New York State Cyber Command, the FBI and our consultant ABS.”
Sodinokibi threat actors target travel industry
The ransomware that was used in this cyber-attack against the Albany County Airport Authority is Sodinokibi, the same ransomware that hit the London-based global foreign currency exchange Travelex on New Year’s Eve. Travelex shut down its systems to prevent the spread of the ransomware, with airport locations, website and the Travelex app all being impacted.
It is understood that Travelex called in Metropolitan Police experts from the Cyber Crime Team on January 2, with the investigation still ongoing. In a statement, Travelex confirmed it had “now contained the virus and are working to restore our systems and resume normal operations as quickly as possible.” Travelex also said that as far as is known, customer data has not been compromised.
Travelex ransom reportedly doubled to $6 million
Meanwhile, the threat actors behind the Sodinokibi ransomware attacks have reportedly doubled their ransom demand from the original $3 million (£2,296,000) to $6 million (£4,592,000) and threatened either release stolen data into the public domain or sell it. Bleeping Computer reports the attackers, which it has had a conversation with, are claiming they have 5GB of unencrypted stolen files that contain personal information of Travelex customers. Postings on a Russian hacker forum suggest that the criminals behind Sodinokibi plan to use the threat of releasing stolen data as a tactic to apply pressure on victims to pay the ransom. “With the criminals behind the attack demanding USD $6m, the chances of them receiving a payment grows each day that Travelex is unable to operate,” Javvad Malik, a security awareness advocate at KnowBe4, said.
The ransomware attack on Travelex has had a knock-on impact on foreign exchange services at banks including Barclays and HSBC which are partnered with the company. According to the Evening Standard newspaper, ratings agency S&P has downgraded Travelex, owned by FTSE-listed Abu Dhabi-based financial services group Finablr, as a result of the attack. The Evening Standard quotes S&P as stating: “The effect of this incident will weigh on Travelex’s already tight covenant headroom. The incident raises questions about the company’s stand-alone creditworthiness.”