Security

Cyber-crime

Jet engine dealer to major airlines discloses 'unauthorized activity'

Pulls part of system offline as Black Basta docs suggest the worst


Willis Lease Finance Corporation has admitted to US regulators that it fell prey to a "cybersecurity incident" after data purportedly stolen from the biz was posted to the Black Basta ransomware group's leak blog.

The form 8-K filed with the Securities and Exchange Commission (SEC) on February 9 revealed the NASDAQ-listed company became aware of a potential break-in on January 31, prompting swift efforts to remediate things.

"An investigation into the nature and scope of the incident was launched with the assistance of leading third-party cybersecurity experts and the company took steps to contain, assess, and remediate the activity, including taking certain systems offline," the filing reads.

"The company has not identified any unauthorized activity after February 2, 2024 and, as of the date of this filing, believes it has fully contained the unauthorized activity."

Corp using 'workarounds' while systems offline

The jet engine leasing company admitted that some internal processes have required workarounds to be developed so that it can continue to operate and service customers, without providing any specifics about what those workarounds entail.

Willis also said it's still working to determine the scope of the breach and whether any data was stolen or otherwise compromised. Law enforcement was informed of the break-in. 

As is often the case with early-stage ransomware disclosures, the company appears to be reluctant to mention "ransomware" or even "attack" in its wording.

There remains the possibility that ransomware isn't involved at all, but the passport scans sprawled across Black Basta's website suggest the investigation into whether data was stolen needn't drag on for too long.

The ransomware group claims to have stolen 910 GB worth of company data relating to customers, staff, HR, non-disclosure agreements (NDAs), and more.

Black Basta posted a sample of documents online, including a screenshot of the file trees its affiliate claims to have accessed, as well as various HR documents that revealed the social security numbers of what appear to be company staff across various divisions and seniority levels.

Also included are scans of NDAs, details of what look like leasing agreements between Willis and various major airlines, as well as roughly 40 scans of identity documents – mainly passports. 

Cross-referencing the names on those identity documents with internet and social media searches resulted in numerous matches to staff mainly in the US and UK, with a smattering of other countries included too.

El Reg contacted the company's comms team but has not received a response.

Willis Lease Finance has been in operation for more than 45 years and claims to be one of the longest-standing independent sellers and lessors of jet engines to major airlines in the world.

Black Basta is one of the most dangerous ransomware operations in the cybercrime world and has claimed attacks on major organizations such as Capita and more recently the UK's Southern Water.

The group is assumed to be one of the many offshoots formed by members of the now-shuttered Conti group that disbanded in 2022, and since then has netted more than $100 million from victims. ®

Send us news
6 Comments

Europe coughs up €400 to punter after breaking its own GDPR data protection rules

PLUS: Data broker leak reveals extent of info trading; Hot new ransomware gang might be all AI, no bark; and more

Telemetry data from 800K VW Group EVs exposed online

PLUS: DoJ bans data sale to enemy nations; Do Kwon extradited to US; Tenable CEO passes away; and more

UK floats ransomware payout ban for public sector

Stronger proposals may also see private sector applying for a payment 'license'

Medusa ransomware group claims attack on UK's Gateshead Council

Pastes allegedly stolen documents on leak site with £600K demand

Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days

'Codefinger' crims on the hunt for compromised keys

Atos denies Space Bears' ransomware claims – with a 'but'

Points finger at third-party infrastructure being breached

Drug addiction treatment service admits attackers stole sensitive patient data

Details of afflictions and care plastered online

Turbulence at UN aviation agency as probe into potential data theft begins

Crime forum-dweller claims to have leaked 42,000 documents packed with personal info

Infoseccer: Private security biz let guard down, exposed 120K+ files

Assist Security’s client list includes fashion icons, critical infrastructure orgs

How cops taking down LockBit, ALPHV led to RansomHub's meteoric rise

Cut off one head, two more grow back in its place

I tried hard, but didn't fix all of cybersecurity, admits outgoing US National Cyber Director

In colossal surprise, ONCD boss Harry Coker says more work is needed

DEF CON's hacker-in-chief faces fortune in medical bills after paralyzing neck injury

Marc Rogers is 'lucky to be alive'