LockBit Jumps Its Own Countdown, Publishes Bangkok Air Files

After Bangkok Airways disclosed that it had been clobbered by a cyberattack last week, the LockBit 2.0 ransomware gang tossed its own countdown clock in the trash and went ahead and published what it claims are the airline’s encrypted files on its leak site.

BleepingComputer posted an image (shown below) of LockBit’s “Encrypted Files Are Published” post, dated Saturday, Aug. 28, 19:37:00. That’s three days earlier than its original countdown clock: In that post, the ransomware-as-a-service (RaaS) gang promised that encrypted files would be published yesterday (Tuesday) if the airline didn’t pay the ransom. The sum of the demanded extortion hasn’t been reported.Saturday’s LockBit post reads:

“Bangkok Airways. We Have More Files (Extra +200GB) To Show And Many More Things To Say … They said : We protect our customers privacy” But with P@ssw0rd for all system and domain admins Extra :”

The post included a series of redacted links.

The news outlet, which has been talking with the gang, reported that before LockBit went after Bangkok Airways on Aug. 23, the group also published encrypted files from another airline: Ethiopian Airlines.

The threat actor told the publication that the Accenture breach from earlier this month yielded the credentials used in both of the airline attacks. LockBit also claimed to have encrypted the systems of an unnamed airport using Accenture software.

Bangkok Airways Breach

Bangkok Airways announced the breach last week, on Thursday, and LockBit 2.0 started a countdown clock the next day. In its initial post, the gang claimed to have stolen 103GB worth of compressed files that it would release yesterday, on Tuesday, and that they had a lot more – those +200GB of files it mentioned again in Saturday’s post – that they could add to the misery.

Bangkok Airways said at the time it disclosed the Aug. 23 attack that it’s working on beefing up its defenses.

The breach involved various personal data belonging to passengers, including:

Passenger name Family name Nationality Gender Phone number Email address Other contact information Passport information Historical travel information Partial credit-card information Special meal information

The attackers evidently didn’t manage to access Bangkok Airway’s operational or aeronautical security systems, the company said in its public disclosure.

Accenture Breach Could Spread Far More Ripples

Earlier this month, LockBit attacked Accenture, a global business consulting firm with an insider track on some of the world’s biggest, most powerful companies. It’s hardly surprising that airlines (and, going by what LockBit claimed, at least one airport) have apparently fallen prey to LockBit, given the cornucopia of credentials the gang presumably drained out of Accenture.

Accenture’s clients include 91 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500. According to its 2020 annual report, that includes e-commerce giant Alibaba, Cisco and Google. Valued at $44.3 billion, Accenture is one of the world’s largest tech consultancy firms, and employs around 569,000 people across 50 countries.

Those organizations must be worried, to say the least. Not only did their security provider get drained, thus potentially compromising an untold number of its customers, but it got drained by a group with an increasingly powerful arsenal: According to a report released recently by Trend Micro, attacks in July and August have employed LockBit 2.0 ransomware that feature a souped-up encryption method.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.