The Albany International Airport in New York state succumbed to a Sodinokibi ransomware attack, and the authorities chose to pay a ransom to the criminals to restore functionality to the vital systems.
The Sodinokibi attack on Christmas Day infected a number of systems, including the backups and some Excel documents holding budget data. Fortunately for the airport and its customers, no private data was affected, such as credit card information.
Five days after the attack, the authorities chose to pay the ransom, of under “six figures.” The files were decrypted, and normal operations resumed, although airport officials said day-to-day operations weren’t affected.
The point of entry for the Sodinokibi ransomware was the maintenance servers owned by a company called Logical Net. The airport has since severed ties with Logical Net, but the company said everything that happened after the initial infection was the responsibility of the airport as well. According to a GovInfoSecurity report, the backup systems failed to protect the data.
Paying the ransom is usually the last resort for companies and the public sector. Nowadays, organizations have cyber insurance and backups, so ransomware attacks no longer have the same impact.
This is one reason we’re witnessing an evolution in tactics used by some hackers, especially the ones using Sodinokibi and Maze. During attacks, hackers could steal data, which is later used in blackmail or sold on the black market. The airport officials in Albany didn’t say if that was the case, but they wouldn’t be the first ones if so.
Lastly, it’s worth pointing out that Sodinokibi is used as a malware-as-a-service, which means different hackers can use it. The attack vectors might be the same, but the people behind them could differ.