Pierluigi Paganini January 10, 2020

Officials at the Albany County Airport Authority revealed that New York airport servers were infected with ransomware on Christmas.

Officials at the Albany County Airport Authority announced this week that a ransomware attack hit the New York airport and its computer management provider LogicalNet over Christmas.

The news of the attack was disclosed after LogicalNet reported its own management services network had been breached. According to the experts, the ransomware encrypted files on the authority’s servers and its backup servers.

“Officials at the Albany County Airport Authority announced Thursday that the attack came to light after Schenectady-based LogicalNet reported its own management services network had been breached. From there, the virus spread to the authority’s servers and backup servers, encrypting files.” reported the Associated Press.

The infection was discovered on Christmas Day, the ransomware encrypted administrative files, but no personal or financial traveler data was exposed. Experts reported that the family of malware involved in the attack against LogicalNet was the Sodinokibi ransomware, the same malicious code that infected systems at the London-based Travelex currency exchange.

Operations at the Albany International Airport were not impacted by the attack, Transportation Security Administration and airline computers were not affected too.

The sad aspect of the story is that the airport authority decided to pay the ransom with the economical coverage of the insurance carrier. Officials did not reveal the amount of the ransom, they only revealed that it was “under six figures.”

“The authority’s insurance carrier authorized payment of the ransom, which airport CEO Philip Calderone only said was “under six figures.”” reported the Times Union. “The ransom was paid in Bitcoin. The airport authority will seek to recover the $25,000 deductible it paid on its insurance policy from LogicalNet. The airport’s insurer reimbursed the authority for the rest of the ransom payment. “

The authority paid the ransom on December 30, and crooks sent it the decryption key a few hours later.

“Thanks to the fast action by our IT department, airport operations during one of the busiest travel periods of the year were not impacted and no passenger or airline data was acquired or accessed,” Calderone said. “Within hours the authority was able to resume all administrative functions with systems functioning as normal. We are grateful for the assistance provided by the New York State Cyber Command, the FBI and our consultant ABS.”

The authority reported the incident to the local authorities and law enforcement, including New York State Cyber Command and the FBI.

“Historical records show the VPN server used by Albany County Airport Authority ( http://vpn.albanyairport.com) was not using Pulse Secure – so unlike Travelex, it probably wasn’t the vector of compromise.” explained the popular researcher Troy Mursch from @bad_packets.”Regardless, organizations need to ensure they’ve applied the latest patches to their VPN servers as multiple threat actors continue to target vulnerable hosts. CISA published an advisory regarding the continued exploitation today here:  https://www.us-cert.gov/ncas/alerts/aa20-010a.”

Pierluigi Paganini

(SecurityAffairs – ransomware, airport)

[adrotate banner=”5″]

[adrotate banner=”13″]