BlackCat ransomware responsible for the Swissport attack and data leak

BlackCat ransomware group claimed responsibility for the attack that caused flight delays and service disruptions

Swissport attacked by ransomware that caused flight delaysBlackCat ransomware leaks data from the Swissport attack

Hacker group is also known as ALPHV, and the ransomware attack on Swissport company caused major issues with the services. The firm has a presence in 310 airports and in 50 countries, so the revenue reaches 3 million euros. It provides cargo handling, cleaning, maintenance, lounge hospitality services. The ransomware hit the firm and caused major issues, terabytes of stolen data.[1] BlackCat group now leaked a part of that data obtained during the ransomware attack.[2]

This threat is a ransomware-as-a-service operation,[3] that is finding affiliates that already target various organizations in the world. The biggest difference between this and other common ransomware that uses the double-extortion technique. Malware creators extort money from the target and steal sensitive information that can be valuable. Then the threat encoded files on the system and threatens to release the obtained data publicly.

The particular BlackCat ransomware gang goes even further than this – thereat adds another scare tactic – promises to release the denial-of-service attack if none of the payments get transferred. This is the triple-extortion technique.[4] Affiliates working with the gang also make up to 90% from hose payments, so ransomware affiliates may be further boosted to work with the malware creators.

Leaking the terabyte of information

The service disclosed the ransomware attack and informed people about the consequences of its systems. A week after, the BlackCat ALPHV ransomware gang posted a small sample of the obtained files and claimed to have stolen a lot more data from the Swissport networks. They state that it is possible to sell the entire 1.6 TB of the stolen information.

The data leak page contains valuable data, and threat actors claim to have a database with various samples of the information. Those details include images of passports, internal business memos, details of job candidates with personally identifiable information like:

  • full name,
  • passport numbers,
  • nationality,
  • religion,
  • email,
  • phone numbers,
  • job role,
  • interview scores,
  • other recruitment details.

Swissport has more than 66 000 employees worldwide and handles 282 million passengers and 4.8 million tons of cargo every year. This is a major link in the travel industry chain.

These BlackCat attacks come after the BlackMatter shutdown

The particular ransomware emerged after the shutdown of another major ransomware group.[5] This year, ransomware creators even confirmed the relation to BlackMatter/DarkSide ransomware operations. Security researchers report many instances of the ALPHV group, and BlackCat ransomware seems to be a particular threat that other gangs may be lured to use.

Since the release in November 2021, there were a lot of targets on the radar of these criminals. In various countries like USA, Australia, India. Criminals behind the infection should make a fortune since these demands in the triple-extortion attacks range from around $400,000 to $13 million. The preferred cryptocurrency is Bitcoin or Monero.

It is responsible for attacks on oil companies in Germany and other recent attacks. This is a highly sophisticated ransomware, and threat actors clearly rely on powerful tools like DDoS to encourage people to pay the ransom.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions