Albany Airport Pays Off Sodinokibi Ransomware Gang: ReportSame Crypto-Locking Malware Recently Crippled Currency Exchange Firm Telenex
Officials at the Albany (New York) International Airport paid a ransom to cybercriminals after the facility's systems were hit with the Sodiniokibi ransomware strain on Christmas, the Albany Times Union reports.
See Also: Threat Briefing: Ransomware
While the encrypted files have been unlocked and operations at the airport are running normally, the FBI and the New York State Cyber Command are still investigating the incident, according to the Times Union. The airport is also re-engineering its systems in the wake of the attack, the newspaper report notes.
Albany International Airport, owned by Albany County, handles about 50 flights a day, according to its website. At no point did the ransomware attack affect the airport's day-to-day operations, airport officials said.
The Sodiniokibi ransomware strain, also known as REvil and Sodin, and the criminal gang behind it have been making headlines in recent weeks. For example, London-based foreign currency exchange firm Travelex has been held hostage by attackers using the ransomware who are demanding about $6 million in ransom and have threatened to release customer data if the money is not paid (see: Currency Exchange Travelex Held Hostage by Ransomware Attack). On Sunday, Travelex CEO Tony D’Souza released a statement Sunday saying the company is making progress in recovering access to its systems.
Albany Airport CEO Phil Calderone told the Times Union that the ransomware incident happened in the early hours of Dec. 25, when the attackers infiltrated the facility's maintenance servers, which are managed by Logical Net, a cloud and hosting managed service provider based in Schenectady, New York.
While the ransomware spread to other parts of the airport's main system and encrypted files, including back-up storage systems and Microsoft Excel documents that contained airport budget data, the cybercriminals did not access airline customers' information, including credit card numbers and other data, according to the report.
The ransomware attack did not affect the airport's day-to-day operations or U.S. Transportation Security Administration servers used at the facility, the newspaper reports.
To stop the attack, Calderone told the Times Union, officials decided to pay the ransom on Dec. 30, which he says came to "under six-figures," in bitcoin. The airport is looking to recover that cost from its cyber insurance policy as well as the $25,000 deductible it paid on its insurance policy from Logical Net, according to the newspaper.
In addition, Calderone says the airport has severed its ties to Logical Net following the incident, according to the news report.
Logical Net's CEO Tush Nikollaj told the Daily Gazette, another local newspaper, that while the attack came through his company's management systems, the airport is responsible for protecting its back-up servers and internal IT.
"While the attack vector for this incident came through our management system, the effects for the airport were different than many of our customers," Nikollaj told the newspaper. "Some of the back-up systems that failed to protect and preserve the airport data were selected and implemented before our relationship with the authority and without our recommendation."
Question of Payment
While many companies and organizations are tempted to pay off attackers to quickly regain access to their files and IT infrastructure, the FBI and other law enforcement agencies discourage the paying of ransom because it encourages other attacks and there is no guarantee that cybercriminals will unlock the files once the money is paid (see: Ransomware Attackers May Lurk for Months, FBI Warns).
Fabian Wosar, the CTO at Emsisoft, which has been tracking ransomware attacks that have targeted state and local government, schools and healthcare facilities over the last year, notes that paying criminals only creates better-funded attacks.
That’s why paying a ransom “is something that companies should only consider as a last resort when the data is critical and no other recovery option exists," Wosar tells Information Security Media Group. "The airport authority’s decision to pay is unlikely to have any bearing on the Sodinokibi operators' negotiations with Travelex. This is a well-established ransomware group, and the fact that one organization chose to pay is unlikely to alter their strategy."
To increase the odds that victims will pay a ransom, several ransomware gangs have started publishing the data they have accessed when targets have refused to pay. For example, on Monday, Bleeping Computer reported that the Sodinokibi gang has released data belonging to Artech Information Systems on a Russian underground forum.