Tuesday, May 17, 2022

Gang still posting data allegedly stolen from Saskatoon airport authority

A threat actor who attacked Saskatoon’s John Diefenbaker International Airport in December continues to post stolen data on its dark website in an apparent pressure tactic.

A cybersecurity industry source told ITWorldCanada on Friday that the Snatch gang has posted several more files today in what it calls a proof pack. The goal appears to be to embarrass the Saskatoon Airport Authority (SAA) for not paying a ransom.

It isn’t clear if the gang encrypted SAA data in addition to copying files.

Asked for comment, CJ Dushinski, the authority’s vice-president for business development and service quality, said in an email this relates to the December 7 attack. She referred ITWorldCanada to a statement made then that the IT system “was targeted through sophisticated, unauthorized, means, and a number of files may have been accessed. 

“SAA has engaged a team of third-party cyber security experts to investigate the incident,” it said in the December statement. “Both Law enforcement and those potentially affected individuals have been notified. SAA can confirm that we have identified and eliminated the threat from our systems.

“This matter is of the utmost concern to SAA and is being treated as our highest priority,” the statement said. “We apologize for any inconvenience this unfortunate incident may have caused.”

Questions about how the attack started, if a ransom note was received, and if so how much was asked, were deflected. “Given this is an ongoing investigation we are unable to provide further comment at this time,” Dushinski said.

According to VMware’s threat analysis unit, the Snatch strain of malware was detected around the end of 2019. “Snatch ransomware will force Windows to reboot in Safe Mode (where most of the software and system drivers will not be running) in order to perform the file encryption process,” researchers said.

Similar to the other variants of ransomware, researchers said, it will also perform the deletion of volume shadow copies to ensure all the data cannot be restored easily. After it performs file encryption, it will drop a ransom note named “RESTORE_[five_character_random_string]_FILES.txt”

According to a statement on the Snatch website, “if company decides not to negotiate with Snatch then in any scenario every company affiliate will be notified and presented the proofs of data breach.”

It also says “Snatch never disrupt supply chains, work of any country, government, state and private companies by locking, encrypting or by any other means.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.