Ransomware Group Publishes Airline Customer Data

I. Targeted Entities

Bangkok Airways Customers

II. Introduction

Last Thursday, the LockBit ransomware gang blasted Bangkok Airways with a cyberattack and allegedly stole 103 gigabytes worth of files. The gang then published the data for the public to see, two days after the airline failed to pay the ransom.

III. Background Information

A whopping 103 GB of compressed files containing private data from Bangkok Airways was on the brink of being breached and released to the public. Included in the private data were passengers’ names, family names, nationality, gender, phone numbers, email addresses, other contact information, passport information, historical travel information, partial credit card information, and special meal information.[2] After a recent attack on the powerful consulting company, Accenture, Lockbit 2.0 claims they were able to sneak their way into the credentials that were used for the later attacks of Bangkok Airways and Ethiopian Airlines. However, Accenture is dismissing these claims made by the ransomware gang as false due to the key efforts of isolating the two servers upon the detection of presence of threat actors.[2] Lockbit 2.0 is identical to its ransomware counterparts DarkSide and REvil, which also utilize an affiliate model to rent its ransomware platform. It is recommended for customers of Bangkok Airways to contact their banks, change compromised passwords, and keep an eye out for suspicious calls and/or emails.

IV. MITRE ATT&CK

T1486 – Data Encrypted for Impact
REvil utilizes ransomware attacks to encrypt target data
T1083 -File and Directory Discovery
REvil utilizes code that scans and compiles a list of directories on the target network.

V. Recommendations

Phishing Awareness Training
Bangkok Airways advised customers to be aware of possible phishing attempts due to the latest data leak. Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk.
Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
Set Antivirus Programs to Conduct Regular Scans
Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures
Malware Monitoring
Continuously monitor current and new types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
Strong Cyber Hygiene
Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a

VI. Indicators of Compromise

The link below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.

https://usf.box.com/s/5q8x1ifunz9jb2dh1p8zg06w67fvzezm

VII. References

(1) Vaas, Lisa. “LockBit Jumps Its Own Countdown, Publishes Bangkok Air Files.” Threatpost English Global, September 1, 2021. https://threatpost.com/lockbit-publishes-bangkok-air-files/169101/.

(2) Vaas, Lisa. “LockBit Gang to Publish 103GB of Bangkok Airways Customer Data.” Threatpost English Global, August 30, 2021. https://threatpost.com/lockbit-bangkok-airways-breach/169019/.

Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya and Tural, Hagverdiyev, Ipsa Bhatt.