Satoshi Kina - stock.adobe.com
The BlackCat/ALPHV ransomware gang has posted samples from a cache of data that it claims to have exfiltrated from aviation services firm Swissport in a cyber attack at the beginning of February to the dark web as it seeks a buyer.
The initial incident had little impact beyond causing delays to a small number of flights, and Swissport said it contained the incident within about 48 hours, and manual workarounds and fallback systems had secured its operations.
This would indicate to an observer that Swissport had a solid ransomware plan in place, including appropriate mitigations and protective measures such as fully air-gapped backups to restore from. This probably means it chose not to negotiate with its attackers.
However, in a classic example of a double-extortion attack in which data is not only encrypted but stolen and then leaked to maximise the victim’s embarrassment and the attacker’s potential returns, BlackCat is now trying to offload 1.6TB of stolen data.
Screengrabs circulated online show the data includes both internal business documents and the personal data, including scanned passports and ID cards, of individuals, as well as personally identifiable information on job candidates, including names, passport numbers, nationalities, email addresses and phone numbers. It also includes some categories of data, such as religion, deemed as protected characteristics under the General Data Protection Regulation (GDPR).
A Swissport spokesperson said: “The security of the data within our systems is a top priority for Swissport. Swissport has been responding to a cyber security incident that affected some of our systems. While conducting our investigation, we learned that an unauthorised party posted data online that they claim to have stolen from Swissport. We take these allegations seriously and are analysing the files that were posted online as part of our ongoing investigation into the incident.
“When we learned of the incident, we promptly took the affected systems offline, launched an investigation, notified law enforcement, and engaged leading cyber security experts to help assess the scope of the incident. At this point in time, we cannot provide any further information.
“We are in contact with customers, partners and employees. We sincerely regret any concern or inconveniences this incident is causing for our customers, partners and employees around the world.”
Commenting on the leak, Gurucul’s Saryu Nayyar said: “While Swissport is claiming the cyber attack was ‘largely contained’, 1.6TB of data exfiltrated is no joke. They are indeed lucky that only personal information was stolen versus a disruption in service.
“However, this shows how easy it is for threat actors to compromise networks and go largely undetected for large periods of time. Current XDR and SIEM solutions are incapable of preventing damage or disruption, despite claims that would lead you to believe they are a silver bullet in detecting and preventing successful breaches.”
Nayyar added: “Organisations need to look at next-generation SIEM solutions that employ true self-learning machine learning models with an extensive library and variety of advanced analytics if they have any hope of preventing new and emerging attacks from groups like BlackCat. Automated detection, as well as high-fidelity non-disruptive response, early in the kill chain is critical to truly containing the attack before damage is done, not well after an attack has already made progress in its main objective.”
As previously reported, the BlackCat gang emerged towards the end of 2021 and was immediately notable for a world first – its ransomware is coded in Rust, which gives it a distinct advantage in being able to customise its attacks.
Following a string of attacks attributed to BlackCat, the gang – which prefers to go by its own moniker, ALPHV – revealed to a Recorded Future analyst that it had evolved out of the DarkSide/BlackMatter operation (the crew behind 2021’s landmark Colonial Pipeline hit), allegedly in part because the BlackMatter ransomware was cracked by Emsisoft, which made a decryptor available for victims.