UK airport ransomware attack proves need for improved digital security
The ransomware attack that took flight information screens offline at the Bristol Airport in the U.K. two weeks ago demonstrates the ongoing threat that can disrupt businesses, transportation hubs and other facilities.
Beginning Friday morning, the flight information screens stopped displaying flight information and advised travelers that engineers were working to resolve the issue as soon as possible, according to CSO, a website for enterprise security decision-makers. Whiteboards posted arrival and departure information, and loudspeakers broadcast announcements. Extra staff was on hand to inform passengers about flights.
Around 4:30 a.m. Sunday, the airport tweeted a photo of digital screens that were back online in key locations.
Officials blamed a ransomware attack in which hackers demanded payment in exchange for restoring flight information. Airport spokesman James Gore did not say what ransomware variant the attackers used, but said that the attack targeted the airport's administrative systems, making it necessary to take the flight data offline. The airport did not pay the ransom.
Attack demonstrates ongoing vulnerability
"The attack demonstrates the vulnerability of unpatched or unmonitored but networked computers," A.N. Ananth, CEO of EventTracker, a Netsurion company that provides security information and event management solutions, told Kiosk Marketplace following the attack.
|A.N. Ananth of EventTracker warns|
thatmachines in 'kiosk' mode are
subject to ransomware.
"A very large number of such machines have been deployed worldwide for fixed-function kiosk-type use. They are unattended and rarely updated, causing them to be vulnerable. We can't say the Bristol systems in question were unpatched — only they know — but we can more safely say they were unmonitored or not monitored enough," he said.
An effective defense for fixed-function systems is a central whitelisting approach, Ananth said. Once an endpoint is ready to enter operation, a "baseline" is established by taking a detailed snapshot of its files, folder and registry entries.
All processes that are part of this baseline are allowed to execute. When a process that is not part of this baseline attempts to run, the endpoint sensor detects it and either reports it (if in audit mode) or terminates it (if in block mode).
"Traditional antivirus operates in blacklist mode which is to allow everything to run unless it's in the unsafe or blacklist," Ananth said. This approach involves regular patching or installing an endpoint security solution such as an antivirus agent which, in turn, needs updating.
"While this mode is suitable for enterprise desktops which change frequently and may have multiple functions, it's inherently expensive to maintain in fixed-function endpoints like kiosks," he said.
Whitelisting can take the place of antivirus and reduce the demand for constant patching, Ananth said. Whitelisting also requires fewer resources to maintain and update.
Ransomware attacks continue
Bristol Airport was not the first airport this year to suffer a ransomware attack. In March, the Hartsfield-Jackson Atlanta International Airport shut off its internal Wi-Fi network as a security precaution when the city's computers suffered outages on various internal and customer-facing applications. These included bill payment functions and court-related information, according to a public statement the city released.
The attacker demanded $6,800 per unit, or $51,000 to unlock the entire system, to be paid in bitcoin, according to a screenshot a city employee sent to 11Alive.
Atlanta Mayor Keisha Lance Bottoms said that anyone who had done business with the city was potentially at risk, and advised businesses and consumers to check their bank accounts. Fortunately, public safety, water and airport operations departments were not affected.
Other cities subjected to similar attacks recently include Englewood, Colorado; Leeds, Alabama; Farmington City, New Mexico; Spring Hill, Tennessee; and Allentown, Pennsylvania, Ananth said.
"We're seeing municipalities increasingly targeted by ransomware attacks," Ananth said. "The Atlanta incident just happens to be a larger target, but not unique in nature. What these municipalities need is effective monitoring of their network and endpoints along with the ability to lock down critical systems."
Ransomware variants arise
Meanwhile, a new ransomware variant called Petya has threatened poorly protected networked digital screens lately, Ananth said. Victims have included shipping, banking, energy, transportation and health care companies. A whitelisting approach can protect against this ransomware.
Rather than targeting a single organization, Petya takes a broad-brush approach, targeting any device it can find that its worm can exploit.
According to Kaspersky Labs, a cybersecurity consultancy, kiosks are easy to hack if users can exit "kiosk" mode and gain access to the main operating system. The process of exiting kiosk mode can be as easy as right-clicking to exit full screen or clicking on external links, the company wrote in a recent report.
Ransomware will likely become a bigger problem for businesses and organizations that fail to take necessary precautions.
Elliot Maras is the editor of KioskMarketplace.com and FoodTruckOperator.com.