Delaware, USA – January 13, 2020 – Albany International Airport’s systems suffered a ransomware attack on Christmas and the airport authority decided to pay the ransom to restore data on the airport’s servers and its backup servers. Sodinokibi (aka REvil) affiliates compromised managed service provider, LogicalNet, from whose network the airport systems were infected. The attack affected only administrative files, and operations at the Albany International Airport were not impacted, Transportation Security Administration and airline computers were not affected too. The incident became known only after LogicalNet disclosed data breach, the airport authority didn’t reveal the sum they paid to attackers, it was only known that it was “under six figures” and Albany International Airport’s insurer reimbursed part of the ransom payment.
Sodinokibi gangs follow the path shown by cybercriminals behind Maze ransomware, which began to publish stolen data, putting additional pressure on companies that refuse to pay the ransom. Late last week, cybercriminals published 337MB of files stolen from Artech Information Systems before encrypting their systems. As in the case of Maze ransomware, the attackers published only a small part of the data, hoping that the victim would still pay the ransom. Two weeks ago, Travelex, the London-based currency exchange was also hit by Sodinokibi ransomware. The company decided not to pay the attackers $3 million and recover the data. Travelex states there is no evidence that personal data was stolen, but the hackers threaten to publish 5GB of sensitive customer data. You can use Ransomware Hunter rule pack to spot and stop the attack at early stages, the rule pack leverages statistical profiling and behavioral analysis methods to spot signs of ransomware at every stage of Cyber Kill Chain: https://my.socprime.com/en/integrations/ransomware-hunter