Collins vs. Everest: Criminal gang taunts airport software victim

Cyberextortion meets air travel

Collins Aerospace recently suffered a breach that led to check-in disruption at several European airports, notably in Dublin, London, Brussels and Berlin.

Now, the company has been taunted by the Everest ransomware gang, who claim to be behind the attack.

To be clear, we use the term “ransomware” fairly generally to refer to a computer or network intrusion that ends in cyber-extortion.

The attackers typically use a double-barreled blackmail scheme to squeeze their victims to pay for two different outcomes, for example by:

• Stealing sensitive data and offering to “sell a negative,” namely that if the victim coughs up, the criminals will quietly delete the stolen data instead of leaking it to the detriment of the company, its staff, and its customers.
• Scrambling files to derail business operations, and offering to “sell a positive,” namely to provide decryption software and the necessary cryptographic keys to unlock the files and get things moving again.

In the early days of ransomware, which first appeared way back in 1989, the file-scrambling trick was introduced because there simply wasn’t enough network bandwidth available to upload someone’s data, delete it from their computer, and then offer to sell it back to them.

By encrypting the data in place on your computer, the criminals essentially left you with “a backup you could not restore,” so that the attack worked even if you were entirely offline at the time.

Compute like it’s 1989! Video includes a live demo of the infamous PC Cyborg or AIDS Information Trojan for MS-DOS. (Demo starts at 14’08”.) Watch this video directly on YouTube if you would like additional video controls, including speed-up.

The word “ransomware” referred not just to the attack and its subsequent blackmail demands, but also to the malicious software used to perform the encryption.

The idea of stealing the data first and also encrypting it in place came later, once internet connectivity reached the ubiquity and speed that it has today.

Attackers in the 2020s could steal your data and then simply delete it, offering to sell you a download password to recover it, thereby sidestepping the need to build an encryption/decryption system. This approach has been tried, but to delete files so they can’t later be “undeleted” involves overwriting them with zeros or random garbage anyway. Leaving the original filenames and directories right there in plain sight, tantalizingly visible but with their contents turned into digital shredded cabbage, just helps the criminals add more psychological pressure. “Close,” as the saying goes, “but no cigar.”

Steal but don’t encrypt

In recent years, some attackers, apparently including the Everest gang, have given up on the encryption part, and carry out just the “steal data and demand money to suppress it” side of this crime.

Presumably, they’ve decided that the encryption stage is an unnecessary complication.

Bulk file scrambling is something that requires extra work; that might easily go wrong and damage a cybergang’s “reputation” as criminals; that might increase the chance of being detected or even caught; and that companies with decent backup-and-restore processes for lost data don’t find terribly threatening.

We still generally refer to this sort of steal-the-data-only attack as “ransomware,” even though it is the company’s reputation and its customers’ privacy that is being held to ransom rather than the availability of the data itself.

But the Everest criminals weren’t happy about being accused of ransomware activities.

On the darkweb site where they brag about their exploits and announce the sale or leakage of stolen data (typically with countdown timers for dramatic effect), they blustered with:

Our current position on ransomware: Our group does not use or distribute ransomware. Many are aware that we have not used ransomware for many years and have not announced any plans to do so in the future.

They also acted as though they were legitimate IT troubleshooters or cybersecurity researchers:

In our opinion, the situation could have been resolved differently, without creating additional problems for passengers; there was no objective need to resort to measures that caused widespread disruptions.

The meaning of the disingenuous phrase “could have been resolved differently” was made clear further on, when the gang noted (my emphasis):

This behavior suggests that management either underestimated the risks of public disclosure through our blog or acted haphazardly, without any clear strategy.

The crooks even went as far as encouraging affected travelers to sue, or at least to seek compensation, on the grounds that Collins didn’t give anyone advance notice of the shutdown that affected check-ins.

In other words, victim intimidation: “See what happens when you don’t pay up?”

What to do?

• Take your hat off to Collins for not paying up. Even if you yourself were inconvenienced by the disruption, and even if subsequent investigation by the regulators finds Collins to have had below-par cybersecurity, refusing to pay ransomware criminals should be applauded. The criminals explicitly stated that numerous gang members already “analyzed” millions of passenger records “in parallel” over several days, so their ability to delete all copies of it without trace (even if they really intended to do so) must be treated with great skepticism.

• Get your backup and recovery procedures in order. A robust, regular, reliable, and recoverable backup is vital protection against data loss of any sort, from file-scrambling ransomware to fires and floods. Furthermore, non-malicious software error can be just as troublesome as malware damage. In this case, data files weren’t directly attacked, but restoring the system to a known-good state (for example in respect of software, configuration, active accounts, and access controls) was nevertheless a necessary step.
• Prevention is better than cure, but prepare for the worst anyway. If you do get breached, you need to react quickly and decisively. It’s not enough just to kick the crooks out, because you also need to figure out what they did while they were in, given that they may have opened up holes for themselves to use in the future, or to sell on to other attackers. You may also need to front up to the regulators, your customers, and the media, so decide in advance how you will divide up those important human-facing tasks.
• Remember that you don’t have to do it all yourself. Stay on top of cyberthreats without distracting staff from your core business. Sign up with SolCyber to do it for you, human style.

Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!