European Airport Disruptions Caused by Sophisticated Ransomware Attack

Over the weekend, a sophisticated ransomware attack compromised Collins Aerospace’s Muse check-in and boarding systems, forcing key hubs including Heathrow, Brussels, and Berlin to return to manual processes.

Airlines reported hundreds of delayed and cancelled flights as security teams raced to contain the breach, restore encrypted data, and deploy software patches.

The Guardian stated that on Friday evening, threat actors deployed a ransomware payload believed to be a variant of the REvil/​Sodinokibi family against Collins Aerospace’s virtual machines in its cloud-hosted environment. 

Collins Aerospace Systems Ransomware Attack

The attack leveraged a spear-phishing email containing a malicious macro, which executed a PowerShell script to download the payload from a command-and-control (C2) server. 

Once active, the ransomware used AES-256 encryption to lock file shares and virtual disks, appending the extension “.locked” and dropping a ransom note demanding payment in Monero.

Initial forensic analysis indicates the intruders exploited a zero-day vulnerability in the Citrix ADC appliance to gain a foothold, before escalating privileges via Windows Registry modifications and deploying Mimikatz for credential harvesting. 

Lateral movement was detected across the network using SMB and RDP protocols, with persistence established through scheduled tasks and modified Group Policy Objects (GPOs). 

The European Union Agency for Cybersecurity (ENISA) confirms that Collins Aerospace experienced file encryption on its primary Domain Controllers, propagating the impact to airport kiosks, bag-drop systems, and boarding gates.

While Collins Aerospace works on decryptor utilities and hotfixes, airport operators have implemented manual check-in counters and paper boarding passes, extending passenger processing times by up to two hours, Guardian said. 

Heathrow reports that “the vast majority of flights are operating as normal, although check-in may take longer than usual.” 

Brussels Airport cancelled 40 departing and 23 arriving flights on Monday alone, and Dublin warned of potential future disruptions despite no immediate cancellations.

Jonathan Hall KC, the UK government’s independent terrorism legislation reviewer, has suggested that a state-sponsored actor potentially leveraging advanced persistent threat (APT) tactics could be behind the breach. 

However, Collins Aerospace has not publicly attributed the attack to any group. In its Monday statement, RTX, the parent company, affirmed that “system integrity is being verified” and urged customers to apply the latest Muse software update (version 7.4.2).

Passengers are advised to verify flight status online and arrive no more than three hours before long-haul departures and two hours before short-haul services.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.