LockBit Gang to Publish 103GB of Bangkok Air Customer Data

The airline announced the breach on Thursday, and the ransomware gang started a countdown clock the next day.

The LockBit ransomware gang has apparently struck again, having purportedly stolen 103GB worth of files from Bangkok Airways and promising to release them tomorrow, on Tuesday.

A Dark Web intelligence firm calling itself DarkTracer (apparently a separate intel firm than the better-known DarkTrace) tweeted a screen capture of a countdown clock from LockBit 2.0 that, as of Friday, showed four and a half days left. “LockBit ransomware gang has announced Bangkok Airways on the victim list,” DarkTracer tweeted. “It announced that 103GB of compressed files will be released.”

A day earlier, on Thursday, Bangkok Airways publicly acknowledged that it had been blasted with a cyberattack a week ago, on Monday, Aug. 23. It’s still investigating the incident “as a matter of urgency,” the company said in a press release, and is working on beefing up its defenses.

“Upon such discovery, the company immediately took action to investigate and contain the event, with the assistance of a cybersecurity team. Currently, the company is investigating, as a matter of urgency, to verify the compromised data and the affected passengers as well as taking relevant measures to strengthen its IT system.” —Bangkok Airways press release

Infosec Insiders Newsletter

So far, it looks like affected personal data belonging to passengers include:

  • Passenger name
  • Family name
  • Nationality
  • Gender
  • Phone number
  • Email address
  • Other contact information
  • Passport information
  • Historical travel information
  • Partial credit-card information
  • Special meal information

The attackers evidently didn’t manage to access Bangkok Airway’s operational or aeronautical security systems, the company said. The company apologized, saying that “Bangkok Airways Public Company Limited takes the protection of passenger’s data very seriously and the airline is deeply sorry for the worry and inconvenience that this malicious incident has caused.”

The airline said that it has notified the proper authorities, including the Royal Thai police.

LockBit 2.0

LockBit 2.0 is similar to its ransomware-as-a-service (RaaS) brethren DarkSide and REvil: Like those other operations. LockBit uses an affiliate model to rent out its ransomware platform, taking a cut of any ransom payments that result.

The gang went on a hiring spree in the wake of DarkSide and REvil both shutting down operations, putting up wallpaper on compromised systems that includes text inviting insiders to help compromise systems and promising payouts of millions of dollars.

Earlier this month, LockBit attacked Accenture, a global business consulting firm with an insider track on some of the world’s biggest, most powerful companies.

At the time, Cyble researchers suggested in a Tweet stream that the Accenture attack could have been an insider job.  “We know #LockBit #threatactor has been hiring corporate employees to gain access to their targets’ networks,” they tweeted, along with a clock counting down how much time was left for Accenture to cough up the ransom.

According to a report released two weeks ago by Trend Micro, attacks in July and August have employed LockBit 2.0 ransomware that feature a souped-up encryption method.

Threatpost has reached out to DarkTracer for more details and an update, and has reached out to DarkTrace to find out more about its near-namesake. We also reached out to Bangkok Airways for more details, including whether a ransom has been demanded, whether the company has figured out how many customers were affected by the breach and whether it plans to offer identity-theft protection.

Watch Out for Phishing Attempts

Bangkok Airways recommends that passengers contact their bank or credit-card provider and change any compromised passwords ASAP. Also, it recommended that passengers keep their eyes out for suspicious or unsolicited calls and/or emails – particularly phishing attempts claiming to be coming from Bangkok Airways that attempt to gather personal data.

Bangkok Airways won’t be contacting customers to ask for payment-card details or the like, it said. If passengers experience such phishing attempts, Bangkok Airways said that they should report it to law enforcement and to the airline, at:

  • Toll-free number 1-800-010-171 (within Thailand) between 8 a.m. and 5:30 p.m. (Thai local time)
  • Toll number 800-8100-6688 (Overseas) during between 8 a.m. and 5:30 pm (Thai local time)
  • Email: infosecurity@bangkokair.com

Step Numero Uno: IDing Point of Entry

Quentin Rhoads-Herrera, director of professional services at managed detection and response (MDR) services provider CRITICALSTART, observed that Bangkok Airways has a tall order ahead of it when it comes to notifying affected customers  in several different countries. Just one complication is the fact that it entails different regulatory bodies overseeing various regulations – the General Data Protection Regulation (GDPR) rules, for example.

“The primary thing Bangkok Air needs to do is identify the point of entry used by LockBit,” Rhoads-Herrera observed to Threatpost on Monday. “If LockBit group was able to gain entry due to an unpatched externally facing system, then not only do they need to evaluate their current external exposure, but they also need to improve their overall asset inventory and patch management processes to ensure systems are updated often. Understanding the way the criminals initially gained entry is pivotal to ensuring this doesn’t occur in the future.”

He stressed that Bangkok Air also needs to understand everything LockBit did once on the inside to ensure that it hardens its defenses and alerts on similar future activities. “With enough determination, any criminal can breach a company,” Rhoads-Herrera commented via email. “This is why it is very important that organizations work to lowering their time to detect and respond as much as possible to limit the damage of such a breach.”

BHe also noted that – assuming that this was a ransomware strike – the fact that it’s coupled with a threat to disclose data makes it a double extortion attack, in which the injury of paralyzed systems is compounded by the misery of threatened information disclosure.

All the more reason to test backup infrastructure, he noted: “It’s very important that organizations not only protect their backup infrastructure so they can recover after a breach but also protect their most important data and alert on large data leaving their infrastructure. In this instance, the data LockBit has obtained can be used to extort Bangkok Airways for additional crypto currency or they can release it as a way to damage the brand of Bangkok Airways at the same time of receiving notoriety as a criminal organization.”

083021 15:41 UPDATE: Added input from Quentin Rhoads-Herrera.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles