A threat actor who attacked Saskatoon’s John Diefenbaker International Airport in December continues to post stolen data on its dark website in an apparent pressure tactic.
A cybersecurity industry source told ITWorldCanada on Friday that the Snatch gang has posted several more files today in what it calls a proof pack. The goal appears to be to embarrass the Saskatoon Airport Authority (SAA) for not paying a ransom.
It isn’t clear if the gang encrypted SAA data in addition to copying files.
Asked for comment, CJ Dushinski, the authority’s vice-president for business development and service quality, said in an email this relates to the December 7 attack. She referred ITWorldCanada to a statement made then that the IT system “was targeted through sophisticated, unauthorized, means, and a number of files may have been accessed.
“SAA has engaged a team of third-party cyber security experts to investigate the incident,” it said in the December statement. “Both Law enforcement and those potentially affected individuals have been notified. SAA can confirm that we have identified and eliminated the threat from our systems.
“This matter is of the utmost concern to SAA and is being treated as our highest priority,” the statement said. “We apologize for any inconvenience this unfortunate incident may have caused.”
Questions about how the attack started, if a ransom note was received, and if so how much was asked, were deflected. “Given this is an ongoing investigation we are unable to provide further comment at this time,” Dushinski said.
According to VMware’s threat analysis unit, the Snatch strain of malware was detected around the end of 2019. “Snatch ransomware will force Windows to reboot in Safe Mode (where most of the software and system drivers will not be running) in order to perform the file encryption process,” researchers said.
Similar to the other variants of ransomware, researchers said, it will also perform the deletion of volume shadow copies to ensure all the data cannot be restored easily. After it performs file encryption, it will drop a ransom note named “RESTORE_[five_character_random_string]_FILES.txt”
According to a statement on the Snatch website, “if company decides not to negotiate with Snatch then in any scenario every company affiliate will be notified and presented the proofs of data breach.”
It also says “Snatch never disrupt supply chains, work of any country, government, state and private companies by locking, encrypting or by any other means.”