Ransomware attack on Air Albania: what’s going on

Attacco ransomware ad Air Albania: cosa sta succedendo thumbnail

Yesterday evening, January 30, 2023, Lockbit announced that it has carried out a Ransomware-type hacker attack against Air Albaniathe flag carrier of Albania, 50% owned by Turkish Airlines.

Although almost 24 hours have passed since the incident, the Albanian airline has not yet released any official press release regarding the cyberattack. For more goats we turned to Andrew SaturninusICT Security Specialist di Sababa Security.

Air Albania at the center of a ransomware-type hacker attack

Andrea Saturnino explains that, according to the little information available, Lockbit would have indicated the 14 February as the useful date for the redemption requested from Air Albania. It is certainly not the first time that an airport has been targeted by hackers. Just think of the attack carried out by Ragnar Locker against TAP Air Portugal, or that by Daixin Team against Air Asia, or that, again by Lockbit, against Kuwait Airlines.

“Everything leads to the confirmation of a trend, which has been going on for some years now, of cyber attacks on critical infrastructures, such as hospitals, airports and financial systems, in Albania as in the rest of the world”, says Andrea Saturnino. “The situation has been exacerbated by the war in Ukraine and by the crisis linked to the pandemic, but also by the entry into play in recent years of Chinese and Iranian parastatal groups which increasingly aim to attack government systems or critical European or North American infrastructures, with the purpose of seriously damaging the systems and generating widespread disservices.”

Andrea Saturnino, ICT Security Specialist di Sababa Security

For over a year, Albania has been under constant cyber threat. Several attacks have already hit major government systems, including the police. According to Tirana, Iran is behind these attacks. Albania has in fact provided asylum to around 3,000 members of the MEK, the Iranian opposition party. The attack on the computer system of the police might have had the aim of obtaining information regarding movements entering and leaving Albanian territory, thus allowing the attacker to know the names of people present in Albania.

What do we know about Lockbit, the hacker group behind the attack

Lockbit, for several years now, is the most prolific criminal group in terms of ransomware attacks. In 2022 alone, it covered 44% of the total ransomware attacks in the world. For this specific attack, although it was officially claimed by Lockbit, it is possible that the group “subcontracted” its ransomware malware to other groups. Maybe smaller or parastatal realities.

It is no coincidence that Lockbit was one of the first criminal groups to implement the RaaS (Ransomware as a Service) model. This allows you to “lease” your Ransomware malware to other groups or organizations to carry out attacks. A part of the profit resulting from the attack is then transferred to Lockbit as a form of payment for this which, to all intents and purposes, we could define as “rental”.