Ransomware grounds some flights at Indian budget airline SpiceJet

Incident comes a week after 'SAP glitch' kept some planes on the taxiway


Indian budget airline SpiceJet on Wednesday attributed delayed flights to a ransomware attack.

SpiceJet said the attack was quickly contained and rectified with flights again operating normally.

The company later was forced to clarify that its definition of “normally” meant flights delayed by ransomware had a cascading effect on its schedule, so while it whacked the ransomware passengers could still expect disruptions.

Some passengers, including high-profile ones like president of India's ruling Bharatiya Janata Party, Rajasthan Satish Poonia, took to Twitter to complain about the delay and lack of communication from the airline.

One passenger complained of sitting on a stationary aircraft for three hours and 45 minutes.

SpiceJet is the second largest airline in India measured by domestic passengers, and in pre-COVID 2019 claimed 13.6 percent market share.

The carrier has not discussed what variety of ransomware it experienced, the systems it impacted, and whether it paid the ransom or was able to swiftly restore systems. Whatever SpiceJet did to defeat ransomware, it fixed the problem at jet speed - operations resumed within hours rather than stretching into days as happened when Colonial Pipeline was infected.

The incident is SpiceJet's second tech mess in as many weeks, after it was last week denied departures from Delhi because the company was not up to date with payments to the Airports Authority of India (AAI).

The airline attributed the nonpayment to “a technical glitch in SAP”, according to The Times of India.

In 2020, a US security researcher reportedly gained access to one of SpiceJet’s systems by brute-forcing their way into the system thanks to an easily guessable password. That effort yielded an unencrypted database backup file containing private information of more than 1.2 million passengers.

SpiceJet is not alone among airlines when it comes to being slowed down by ransomware. Bangkok Airways suffered a LockBit attack in August 2021, resulting in over 100GB of data being disclosed when the airline chose not to pay the ransom. ®


Other stories you might like

  • We're now truly in the era of ransomware as pure extortion without the encryption
    Why screw around with cryptography and keys when just stealing the info is good enough

    Feature US and European cops, prosecutors, and NGOs recently convened a two-day workshop in the Hague to discuss how to respond to the growing scourge of ransomware.

    "Only by working together with key law enforcement and prosecutorial partners in the EU can we effectively combat the threat that ransomware poses to our society," said US assistant attorney general Kenneth Polite, Jr, in a canned statement.

    Earlier this month, at the annual RSA Conference, this same topic was on cybersecurity professionals' minds – and lips.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading

Biting the hand that feeds IT © 1998–2022