Nok Air, the Thailand-based low-cost airline, has fallen victim to another ransomware attack, this time at the hands of the LockBit ransomware group.
The ransomware news comes just months after the airline was targeted by the ALPHV ransomware group, which claimed to have exfiltrated over 500GB of data.
The LockBit group has announced that it has added Nok Air to its list of victims and has threatened to publish the data it has stolen by March 15, 2023.
The airline primarily offers domestic services in Thailand and is based at Bangkok’s Don Mueang International Airport.
The LockBit group has been working tirelessly over the past couple of years, using various tactics, methods, and procedures to improve its success rate.
They are known for using double and triple extortion methods, where they not only encrypt the data but also threaten to publish it unless a ransom is paid.
Nok Air data breach details shared online
LockBit #ransomware group added NOK AIR (https://t.co/YgkyWPrqJA), to their victim list. They claim to publish the data by 15 March, 2023. Also Nok Air was earlier listed as a victim of ALPHV ransomware group.#Thailand #DarkWeb #DeepWeb #databreach #cybersecurity https://t.co/azX7KNOBUl pic.twitter.com/TOZhTD7zHz
— FalconFeedsio (@FalconFeedsio) February 28, 2023
The Thailand airline operator was in the cybersecurity news in November 2022, when the ALPHV/BlackCat ransomware gang listed it as a victim.
On November 20, 2022, the ransomware’s data leak website showcased screenshots of the stolen data, The Cyber Express reported.
The airline, which mainly operates domestic flights in Thailand from Bangkok’s Don Mueang International Airport, was targeted by the threat group that claimed to have exfiltrated more than 500GB of data.
The developers responsible for the ransomware-as-a-service (RaaS) group employ double and triple extortion techniques, acquired new technologies, and integrated various tactics, methods, and procedures (TTP) into their strategies.
After examining the published data that contained confidential information stored across numerous folders, documents, and spreadsheets, threat intelligence researchers at Cyble analyzed the material.
Upon scrutinizing the screenshots posted on the data leak website, we discovered some files named “refund to customers.ink,” “req invoice.pdf,” “refund.xlsx,” “DD SWOT ANALYSIS.ppt,” and other sensitive documents.
Airlines and ransomware attacks
Throughout the autumn of 2022, airlines were targeted by various attacks, including a distributed denial-of-service (DDoS) attack on U.S. airport websites that temporarily took down several web services.
A similar attack affected Jeppesen, a subsidiary of Boeing, on November 2, 2022. Jeppesen disclosed that this attack had the potential to affect the accuracy of some of its products and services, including the receipt and processing of notice to air missions that inform pilots of any potential hazards during flights.
Airports are also susceptible to attacks and are a significant repository of carrier and passenger information.
According to a Kaspersky advisory on air travel security, “Airport systems typically store not only travel document data but also payment information. This poses an issue not only for customers but also for the airport itself since modern data protection laws offer no leniency to organizations that are careless with data protection.”
Cybercriminals and the rise of ransomware-as-a-service (RaaS)
The rise of ransomware-as-a-service (RaaS) groups has made it easier for cybercriminals to launch ransomware attacks. They can rent the ransomware software from these groups rather than develop it themselves.
ALPHV, also known as BlackCat and Roberts, has been one such RaaS group active over the past couple of years.
It is not yet clear how Nok Air’s systems were breached, but it serves as a reminder of the importance of cybersecurity measures for businesses of all sizes.
Small and medium-sized businesses are often seen as easy targets for cybercriminals, as they may not have the same level of security measures in place as larger organizations.
Hackers target airlines and airports for various reasons, including financial gain, cyber espionage, disruption of operations, reputation damage, political motivation, and interconnectedness with other industries.
These organizations deal with a large amount of sensitive information, making them attractive targets for cybercriminals. It is essential that airlines and airports take measures to protect themselves from these threats to prevent potential damage to their reputation and operations.
As more businesses shift to digital operations, they must prioritize cybersecurity and invest in the necessary tools and technologies to protect their data.
This includes regular software updates, employee training on cybersecurity best practices, and working with cybersecurity professionals to conduct regular risk assessments and vulnerability scans.
The ransomware attack on Nok Air highlights the ongoing threat posed by cybercriminals, particularly ransomware-as-a-service groups like ALPHV and LockBit. Businesses must take cybersecurity seriously and implement robust measures to protect their data from these attacks.