A suspect has been arrested in the UK in the Collins Aerospace case that disrupted major
European airports last weekend, the HardBit ransomware was identified, and European airports are still struggling to return back to normal. Here’s the latest:
Suspect arrested in Collins Aerospace ransomware attack
The UK’s National Crime Agency
reported Sept. 24 that a “a man in his forties” was arrested in West Sussex on suspicion of violations of the Computer Misuse Act and was released on bail.
“Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing,” said Paul Foster, head of the NCA’s National Cyber Crime Unit.
Ransomware strain identified in Collins Aerospace cyberattack
Security researcher
Kevin Beaumont on Sept. 23 posted on X that the “European airlines situation” was tied to the HardBit ransomware, which doesn’t have a portal and Beamont said is “incredibly basic.”
“They’ve had to restart recovery again as the devices keep getting reinfected,” said Beaumont. “I’ve never seen an incident like it. Somebody like the
NCSC needs to go in an help them with IR.”
SC Media reported in July 2024 that the HardBit ransomware group first appeared in 2022 and does not have a public leak site. HardBit is
best known for tying a ransom note to the victim’s insurance limits.
Disruptions continue at European airports
Flights are back to normal at Heaththrow in the UK, though some check-in and boarding processes maybe slower. Airports in Brussels and Amsterdam are still experiencing delays, though the delays in Amsterdam are largely due to the recent KLM ground staff strike.
Kirsten Maley, director of claims at Cowbell, said the Collins Aerospace incident underlines a wider pattern: operational outages increasingly originate at vendors that serve many customers simultaneously. For airports and airlines, Maley said that means critical passenger-processing functions can be impacted even if their own networks are uncompromised.
On the farily quick arrest, Maley said the investigation is in its early days; however, the pattern is quite familiar: a ransomware hit on a widely used vendor caused outsized disruption.
“HardBit is notable because prior variants tried to peg ransom demands to a victim’s insurance limits,” said Maley. “One reason we train clients never to disclose coverage details. The takeaway is supply chain resilience: map critical vendors, test manual fallbacks, and build a no-pay, rapid-restore posture.”
John Carberry, solution sleuth at Xcape Inc., added that the incident puts a spotlight on significant challenges for modern cybersecurity operations: the difficulties of thorough system restoration following a breach, underscoring the necessity of strong incident response protocols to thwart ongoing threats.
“Although the malware may have been basic, it’s likely that the adversary planted the malicious code at an earlier time such that the backups were also infected,” said Carberry. “If this assumption is correct, then they either need to determine a point before the infection or completely rebuild from the ground up to ensure a clean environment.”
