The BianLian ransomware gang says Air Canada hasn’t been forthright about the amount of data it stole in last month’s cyber attack.
Last month the airline said an attacker “briefly obtained limited access to an internal Air Canada system related to limited personal information of some employees and certain records.” The statement didn’t say how much data was copied.
But this week, in an attempt to pressure the airline, the gang said on its data leak site the company “is only telling half-truths. Employee personal data is only a small fraction of the valuable data over which they have lost control. For example, we have SQL databases with company technical and security issues.”
The gang alleges it has Air Canada technical and operational data from 2008 through 2023, information on the company’s technical and security issues, SQL backups, and unspecified confidential documents as well as employee personal data.
As proof it posted a screenshot of alleged stolen file names, and samples are available for viewing.
Brett Callow, a British Columbia-based threat analyst for Emsisoft who re-posted the gang’s message on X, doesn’t know if the listed data is really from Air Canada.
UPDATE: Asked for comment, Air Canada issued this statement late Wednesday afternoon: “BianLian had threatened to resort to exploiting the media in their unsuccessful extortion efforts. For this reason, we cannot comment on any claims made by an anonymous group based on cybercrime and we will not add anything to what we have said publicly. We trust that media will consider this and report on issues such as this responsibly.”
The gang also is trying to put itself in a good light, saying it didn’t install ransomware, only stole data. “Realizing the potential damage we did not cause any damage to [Air Canada’s] infrastructure or internal resources, data exfiltration operation only,” the message says.
Like many other ransomware gangs, BianLian has a double extortion strategy, copying data and threatening to sell or give it away as well as encrypting as many servers as it can. Organizations are then squeezed to pay up to get the stolen data back as well as to get decryption keys.
However, Callow said, since late last year it has stopped encrypting victims’ data and is focusing on information theft. Or, he added, it may still be doing ransomware attacks but under a different name.
There may be several reasons for the shift in strategy, he said: The gang may believe overseeing encryption code and managing decryption keys “is not necessary to make a profit.” It may also hope that merely stealing data makes the gang less of a target for law enforcement, which gets active in high-profile attacks. And BianLian may hope that organizations have “less of a moral objection” to paying what is perceived as strictly a criminal group as opposed to a ransomware gang.
However, Callow agreed, paying a criminal group a ransom still encourages cyber attacks.