The LockBit ransomware gang has apparently struck again, having purportedly stolen 103GB worth of files from Bangkok Airways and promising to release them tomorrow, on Tuesday.
A Dark Web intelligence firm calling itself DarkTracer (apparently a separate intel firm than the better-known DarkTrace) tweeted a screen capture of a countdown clock from LockBit 2.0 that, as of Friday, showed four and a half days left. “LockBit ransomware gang has announced Bangkok Airways on the victim list,” DarkTracer tweeted. “It announced that 103GB of compressed files will be released.”
[ALERT] LockBit ransomware gang has announced Bangkok Airways on the victim list. It announced that 103GB of compressed files will be released. pic.twitter.com/LT2C0Eixxn
— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) August 25, 2021
A day earlier, on Thursday, Bangkok Airways publicly acknowledged that it had been blasted with a cyberattack a week ago, on Monday, Aug. 23. It’s still investigating the incident “as a matter of urgency,” the company said in a press release, and is working on beefing up its defenses.
“Upon such discovery, the company immediately took action to investigate and contain the event, with the assistance of a cybersecurity team. Currently, the company is investigating, as a matter of urgency, to verify the compromised data and the affected passengers as well as taking relevant measures to strengthen its IT system.” —Bangkok Airways press release
So far, it looks like affected personal data belonging to passengers include:
The attackers evidently didn’t manage to access Bangkok Airway’s operational or aeronautical security systems, the company said. The company apologized, saying that “Bangkok Airways Public Company Limited takes the protection of passenger’s data very seriously and the airline is deeply sorry for the worry and inconvenience that this malicious incident has caused.”
The airline said that it has notified the proper authorities, including the Royal Thai police.
LockBit 2.0 is similar to its ransomware-as-a-service (RaaS) brethren DarkSide and REvil: Like those other operations. LockBit uses an affiliate model to rent out its ransomware platform, taking a cut of any ransom payments that result.
The gang went on a hiring spree in the wake of DarkSide and REvil both shutting down operations, putting up wallpaper on compromised systems that includes text inviting insiders to help compromise systems and promising payouts of millions of dollars.
Earlier this month, LockBit attacked Accenture, a global business consulting firm with an insider track on some of the world’s biggest, most powerful companies.
At the time, Cyble researchers suggested in a Tweet stream that the Accenture attack could have been an insider job. “We know #LockBit #threatactor has been hiring corporate employees to gain access to their targets’ networks,” they tweeted, along with a clock counting down how much time was left for Accenture to cough up the ransom.
Threatpost has reached out to DarkTracer for more details and an update, and has reached out to DarkTrace to find out more about its near-namesake. We also reached out to Bangkok Airways for more details, including whether a ransom has been demanded, whether the company has figured out how many customers were affected by the breach and whether it plans to offer identity-theft protection.
Watch Out for Phishing Attempts
Bangkok Airways recommends that passengers contact their bank or credit-card provider and change any compromised passwords ASAP. Also, it recommended that passengers keep their eyes out for suspicious or unsolicited calls and/or emails – particularly phishing attempts claiming to be coming from Bangkok Airways that attempt to gather personal data.
Bangkok Airways won’t be contacting customers to ask for payment-card details or the like, it said. If passengers experience such phishing attempts, Bangkok Airways said that they should report it to law enforcement and to the airline, at:
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.