Jet engine dealer to major airlines discloses 'unauthorized activity'

Pulls part of system offline as Black Basta docs suggest the worst

Willis Lease Finance Corporation has admitted to US regulators that it fell prey to a "cybersecurity incident" after data purportedly stolen from the biz was posted to the Black Basta ransomware group's leak blog.

The form 8-K filed with the Securities and Exchange Commission (SEC) on February 9 revealed the NASDAQ-listed company became aware of a potential break-in on January 31, prompting swift efforts to remediate things.

"An investigation into the nature and scope of the incident was launched with the assistance of leading third-party cybersecurity experts and the company took steps to contain, assess, and remediate the activity, including taking certain systems offline," the filing reads.

"The company has not identified any unauthorized activity after February 2, 2024 and, as of the date of this filing, believes it has fully contained the unauthorized activity."

Corp using 'workarounds' while systems offline

The jet engine leasing company admitted that some internal processes have required workarounds to be developed so that it can continue to operate and service customers, without providing any specifics about what those workarounds entail.

Willis also said it's still working to determine the scope of the breach and whether any data was stolen or otherwise compromised. Law enforcement was informed of the break-in. 

As is often the case with early-stage ransomware disclosures, the company appears to be reluctant to mention "ransomware" or even "attack" in its wording.

There remains the possibility that ransomware isn't involved at all, but the passport scans sprawled across Black Basta's website suggest the investigation into whether data was stolen needn't drag on for too long.

The ransomware group claims to have stolen 910 GB worth of company data relating to customers, staff, HR, non-disclosure agreements (NDAs), and more.

Black Basta posted a sample of documents online, including a screenshot of the file trees its affiliate claims to have accessed, as well as various HR documents that revealed the social security numbers of what appear to be company staff across various divisions and seniority levels.

Also included are scans of NDAs, details of what look like leasing agreements between Willis and various major airlines, as well as roughly 40 scans of identity documents – mainly passports. 

Cross-referencing the names on those identity documents with internet and social media searches resulted in numerous matches to staff mainly in the US and UK, with a smattering of other countries included too.

El Reg contacted the company's comms team but has not received a response.

Willis Lease Finance has been in operation for more than 45 years and claims to be one of the longest-standing independent sellers and lessors of jet engines to major airlines in the world.

Black Basta is one of the most dangerous ransomware operations in the cybercrime world and has claimed attacks on major organizations such as Capita and more recently the UK's Southern Water.

The group is assumed to be one of the many offshoots formed by members of the now-shuttered Conti group that disbanded in 2022, and since then has netted more than $100 million from victims. ®

Send us news

Ransomware gang <em>did</em> steal residents' confidential data, UK city council admits

INC Ransom emerges as a growing threat as some ex-LockBit/ALPHV affiliates get new gigs

Change Healthcare faces second ransomware dilemma weeks after ALPHV attack

Theories abound over who's truly responsible

UK businesses shockingly unaware of how to handle security threats

Many decide to make no changes after detecting a breach

Change Healthcare’s ransomware attack costs edge toward $1B so far

First glimpse at attack financials reveals huge pain

Pandabuy confirms crooks nabbed data on 1.3M punters

Nothing says 'sorry' like 10 percent off shipping for a month

Puppies, kittens, data at risk after 'cyber incident' at veterinary giant

IT systems pulled offline for chance to paws and reflect

INC Ransom claims to be behind 'cyber incident' at UK city council

This follows attack on NHS services in Scotland last week

Street newspaper appears to have Big Issue with Qilin ransomware gang

The days of cybercriminals having something of a moral compass are over

Nearly 3M people hit in Harvard Pilgrim healthcare data theft

Also, TheMoon botnet back for EoL SOHO routers, Sellafield to be prosecuted for 'infosec failures', plus critical vulns

Head of Israeli cyber spy unit exposed ... by his own privacy mistake

Plus: Another local government hobbled by ransomware; Huge rise in infostealing malware; and critical vulns

Global taxi software vendor exposes details of nearly 300K across UK and Ireland

High-profile individuals including MPs said to be caught up in leak

AT&amp;T admits massive 70M+ mid-March customer data dump is real though old

Still claims the personal info wasn't stolen from its systems