ALPHV ransomware has claimed to have attacked Thailand-based low-cost airline Nok Air. The Cyber Express has found screenshots of the stolen data posted on the ransomware’s data leak website on November 20, 2022. The threat group claims to have exfiltrated over 500GB of data. The airline primarily provides domestic services in Thailand, mainly at Bangkok’s Don Mueang International Airport.
The developers behind this ransomware-as-a-service (RaaS) group – often known as ALPHV, BlackCat, and Roberts – have been working relentlessly throughout 2021-2022. This includes using double and triple extortion methods, honing their skills with new technologies, and including new tactics, methods, and procedures (TTP) in their strategies.
Threat intelligence researchers at Cyble have analysed the published data, which had several folders, files, and confidential information stored in multiple folders, doc files, spreadsheets, and more. Upon further inspecting the screenshots published by the threat actor on the data leak website, we found some files named refund to customers.ink, req invoice.pdf, refund.xlsx, DD SWOT ANALYSIS.ppt, and other confidential documents.
Cyberattacks on airlines
Besides the rise in crypto attacks, airlines are the next critical target for hackers. The fall of 2022 saw many such attacks targeting airlines, including the distributed denial-of-service (DDoS) attack on U.S. airport websites, where the threat actor temporarily took down several U.S. airport web services.
In a similar incident, Jeppesen, a Boeing subsidiary, was affected on November 2, 2022, when it revealed that the attack could affect the accuracy of some of its products and services. The services included the receipt and processing of notice to air missions, which helps inform the pilots about any potential hazards during flights.
Another collateral in the spectrum are airports, which hold enormous carrier and passenger information.
“Airport systems usually hold not only travel document data, but also payment information. And that’s an issue not only for customers, but for the airport itself; modern data protection laws give no quarter to organizations that are lax on data protection,” said a Kaspersky advisory on air travel security.
ALPHV Mode of operation
“ALPHV/BlackCat is the first widely known ransomware written in Rust. The malware must run with an access token consisting of a 32-byte value (–access-token parameter), and other parameters can be specified,” said Security Scorecard’s assessment of ALPHV’s operations.
The files are encrypted using the AES algorithm, with the AES key being encrypted using the RSA public key contained in the configuration. The extension of the encrypted files is changed to uhwuvzu by the malware.
According to the information vetted by Cyble researchers, the ALPHV ransomware group and its sister groups are known to be linked to Russian-based threat groups or have a hard-to-decipher web of alliances and interconnections. In its latest attack, the ransomware group is again using the standard ransom technique as it has claimed to have stolen half a terabyte of the airline’s data, out of which it had provided some as a sample on its data lead website.
FBI has tracked at least 60 ransomware attacks by the ALPHV group as of March 2022.
“BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations,” said the FBI alert on the gang.
