RansomHub gang allegedly behind attack on Mexican airport operator

Avatar

A hacking group recently spotlighted by U.S. agencies said it is responsible for an attack targeting an operator of 13 airports across Mexico.

Grupo Aeroportuario del Centro Norte announced last Friday that a cyber incident forced its IT team to turn to backup systems in an effort to continue running the airports it controls across central and northern Mexico. Known colloquially as OMA, the company runs airports in Monterrey and other major Mexican cities, handling more than 19 million passengers so far this year. 

On Thursday, the RansomHub operation claimed to be responsible for the incident, and threatened to leak 3 terabytes of stolen data if an undisclosed ransom is not paid. U.S. agencies warned of the group’s attacks in August, saying it was responsible for more than 210 incidents since emerging in February. 

“The OMA IT team, in collaboration with external cybersecurity experts, is actively investigating the incident to determine its scope and ensure the protection of the integrity, confidentiality and availability of our systems,” the company said, though it did not confirm RansomHub’s statements. 

“Our operations are running through alternative and backup systems. To date, there has been no material adverse effect on the operations, results or financial position of the company, which will be evaluated on an ongoing basis until the situation has been completely resolved.” 

In an earnings report released on Thursday, the NASDAQ-listed company reported more than $550 million in revenue for the first nine months of 2024. 

The company also addressed the cyber incident in the earnings report, writing that it has “continued to work with external advisors to assess the full scope of the breach.” 

“We have gradually restored certain services while continuing to collaborate with cybersecurity experts to safeguard the integrity of our systems,” the company said. “As of today, we have not identified a material adverse impact on the Company’s operations and financial position, though we are closely monitoring the situation and assessing any possible continued effects.”

The company did not respond to requests for comment but has repeatedly warned passengers about issues airports continue to face.

In a social media message on Thursday, the company said screens showing the terminal location of flights are still down but workers are stationed around the airports to help passengers. 

There are also QR codes to help passengers find boarding gates. The company urged passengers to arrive on time and follow local airline social media accounts for more information. 

The incident was first acknowledged by OMA on October 15, when it confirmed that screens across the airports it controls were down. 

Microsoft this week said RansomHub continues to dominate the ransomware landscape. 

“RansomHub still stood out as one of the most prevalent payloads used by some of the most active ransomware operators and other financially motivated actors like Manatee Tempest & Storm-1874,” the company said, noting that several other threat actors it tracks continue to use the RansomHub malware in attacks. 

Last year, one of the highest-traffic airports in Mexico said it was responding to a similar cyberattack that was eventually claimed by the LockBit ransomware gang.

CybercrimeNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Kremlin-linked hackers target Ukraine’s state, military agencies in new espionage campaign

Next Post

Change Healthcare says 100 million people impacted by February ransomware attack

Related Posts

Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining

The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties. "The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure
Avatar
Read More

Ngioweb Botnet Fuels NSOCKS Residential Proxy Network Exploiting IoT Devices

The malware known as Ngioweb has been used to fuel a notorious residential proxy service called NSOCKS, as well as by other services such as VN5Socks and Shopsocks5, new findings from Lumen Technologies reveal. "At least 80% of NSOCKS bots in our telemetry originate from the Ngioweb botnet, mainly utilizing small office/home office (SOHO) routers and IoT devices," the Black Lotus Labs team at
Avatar
Read More