Aviation Ransomware Threat Landscape

Introduction

In my earlier article on the aviation cyber threat landscape, it is observed that Ransomware attack is top in the list among the past aviation/aerospace related cyber incidents [1]. This is consistent with global trend which sees Ransomware attack as one of the biggest global cyber threat [2]. This could be because it is seen as one of the most lucrative forms of cyber attacks which forces victim organization to pay ransom to unlock encrypted data or prevent stolen data from being leaked.

Global Trend

Ransomware attacks have been on the rise in recent years [3][4], and they are expected to continue to be a major cyber threat. There are probably 2 notable reasons for the rise in ransomware attacks, and they are:

1.) Additional leverage through double extortion. Ransomware attacks are becoming more sophisticated. Attackers have been observed using techniques such as double extortion, where they exfiltrate a victim's data in addition to encrypting it, giving attackers additional leverage to demand ransom payments. It appeared that the Maze ransomware strain emerged as the first high profile case of double extortion ransomware back in November 2019 where the attacker threatened to release stolen data if the victim refused to pay ransom [5].

2.) Increase in ransomware-as-a-service (RaaS). RaaS is a business model where ransomware operators develop ransomware and then sell or rent it to affiliates. This makes it easier for attacker who do not have technical skills to develop own ransomware to launch ransomware attacks [6].

How is this ransomware landscape analysis conducted ?

The analysis is carried out based on past aviation/aerospace related ransomware incidents between 2017 to May 2023 observed from publicly available information (E.g. incident news).

Ransomware Trend in the Aviation Industry.

1.) Increasing in number of ransomware incidents in the aviation industry

Consistent with global trend, the aviation industry also saw an increase in ransomware incidents.

2.) Majority of the incidents involved aerospace and engineering companies and airlines.

These aviation entities possess valuable data such as intellectual property, passenger information and etc. There is significant business impact if these data are encrypted or exfiltrated. Also, the aviation companies have increased revenue with the recovery of the aviation industry from the COVID-19 pandemic. Thus, it is possible that they are deemed to have money to pay ransoms in the event of ransomware attack.

3.) AMER region accounted for higher percentage of incidents.

The reason may be because aerospace and airline industry in America account for larger global market share by revenue [7][8].

AMER - North, Central, and South America

APAC - Asia and Pacific

EMEA - Europe, the Middle East, and Africa

4.) Majority of the incidents involved LockBit ransomware.

From the past aviation/aerospace related ransomware incidents, 18 ransomware strains/group were observed. Consistent with global trend, Lockbit is the most active ransomware strain/group [9][10]. LockBit group is also a Ransomware-as-a-service (RaaS) provider. Information on the 18 ransomware strains/group can be seen here.

5.) Majority of the ransomware strains is known to target both Windows and Linux operating systems.

6.) Top 20 Ransomware Techniques mainly associated with Defense Evasion and Discovery.

Below shows the top 20 ransomware techniques based on MITRE ATT&CK framework filtered from the techniques of the ransomware strains observed from the past aviation/aerospace related ransomware incidents. They were mainly associated with Defense Evasion and Discovery. Tools have been developed to visualize the ransomware techniques in MITRE Matrix (Enterprise), and more information can be seen here.

Conclusion

This analysis aims to give readers an understanding of the ransomware threats facing the aviation/aerospace industry because ransomware attack can disrupt air transport which is an essential service. Thanks for reading this article and hope you find the information useful.

References

[1] https://www.ishareinfo.com/post/aviation-cyber-threat-landscape

[2] https://www.zdnet.com/article/ransomware-attacks-are-the-biggest-global-cyber-threat-and-still-evolving-warns-cybersecurity-chief/

[3] https://blackkite.com/wp-content/uploads/2023/04/2023_Ransomware_Report_Black_Kite.pdf

[4] https://www.wired.co.uk/article/ransomware-attacks-rise-2023

[5] https://www.itpro.com/security/ransomware/367624/the-rise-of-double-extortion-ransomware

[6] https://www.wired.co.uk/article/ransomware-attacks-rise-2023

[7] https://www.statista.com/statistics/263290/aerospace-industry-revenue-breakdown/

[8] https://en.wikipedia.org/wiki/Largest_airlines_in_the_world

[9] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a

[10] https://www.csa.gov.sg/Tips-Resource/publications/cybersense/2023/(cyber)crime-kingpin-lockbit-ransomware-group-s-evolution-and-rise-to-the-top