LockBit hits companies again: Bangkok Airways passenger data leaked

LockBit ransomware attempts attacks on global organizations in China, Italy, Taiwan, the UK

Data breach followed the ransomware attack exposing passport and personal information passengers.

Bangkok Airways apologized for the data leak due to a cybersecurity incident. It is confirmed that the company was hit by the LockBit ransomware^[1] as it was stated that a cyberattack earlier in August compromised the personal data of passengers. LockBit themselves made announcements about the leak and claimed the breach, at the same time threatening to publish stolen data unless the ransom was paid.

Following this attack, the threat actors' gang stated that they had enough important information and data to breach some Accenture clients too. LockBit has breached Accenture earlier and even demanded a $50 million payment to stop the leak of allegedly 6TB of stolen information.^[2]

LockBit ransomware leaked more than 200GB of data belonging to Thailand's air company. The company found out about the attack a few days later and took measures to contain the damage. An investigation started in order to gather what kind of data was leaked. Later, Bangkok Airways officials stated that hackers accessed the personal information of the passengers.

Personal information could include various different information, from full names and nationality, to phone numbers, emails, and even more dangerous, passport information or partial credit card details. The airline gives out warnings for customers and suggests that hackers could impersonate a company representative in unsolicited calls or emails to collect more data.

Gang threatens to expose data of Accenture customers next

LockBit gang threatens to continuously target Accenture's clients after a successful hack that gave them access to credentials that would enable them to go after company customers. Initially, after the attack, Accenture's spokesperson downplayed the incident and said that it had little impact on the company's operations.^[3]

However, threat actors stated that gained information is significant enough to cause real damage. LockBit ransomware-as-a-service (RaaS) operation has been around since September 2019 but version 2.0 of the malware has emerged earlier in 2021. LockBit ransomware is malicious software designed to block user access to computer systems in exchange for a ransom payment.

The threat will automatically scout for valuable targets, spread the infection, and encrypt all accessible computer systems on a network. This ransomware is used for highly targeted attacks against enterprises and other organizations. As a self-piloted cyberattack, LockBit attackers have made a mark by threatening organizations globally with operations disruption, extortion, and data leaks.^[4]

LockBit is evolving and becoming more dangerous

The cybercriminal world seems to never sleep as researchers discovered that new ransomware is emerging. As of right now, the potential new threat is named LockFile and it uses a unique intermittent encryption method as a way to evade detection as well as adopting tactics from previous ransomware gangs.

It was discovered by Sophos researchers who state that LockFile ransomware encrypts every 16 bytes of a file, which means some ransomware protection solutions don’t notice it. This kind of intermittent encryption was never seen in ransomware attacks before.

LockBit 2.0 prides itself on having one of the fastest and most efficient encryption methods in today’s ransomware threat landscape

Firstly, this ransomware exploits unpatched ProxyShell flaws and seizes control of a victim’s domain. Hackers use Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to connect to a server, hijack the authentication session, and manipulate the results.^[5]

In order to avoid ransomware attacks, users should set up and test backups as well as apply for ransomware protection in security tools. Email, mobile devices, web surfing, and network are usually the places where hackers hit.^[6] Whit these attacks being on the rise, with more than 4,000 happening daily, it is important to be vigilant and safe.