The hackers behind this breach are Maze ransomware operators who also leaked some of the company’s data as proof of hack.
The Texas-based aerospace services provider VT San Antonio Aerospace (VT SAA) has become a victim of a ransomware attack. The group behind the breach is claiming it stole 1.5 terabytes of sensitive organizational data from the company’s network.
It is worth noting that VT SAA is a subsidiary of Singapore-based engineering, defense, and technology firm ST Engineering that specializes in marine, land, and aerospace electronics. The Vice president and general manager of the firm, Ed Onwe, stated that,
“A sophisticated group of cybercriminals, known as the Maze group, gained unauthorized access to our network and deployed a ransomware attack.”
It is worth noting that just a couple of days ago the same group had leaked sensitive data it stole from a US Nuclear contractor. As for the latest breach; VT SAA’s systems were attacked for the first time on March 7 and the second time in May.
The company discovered the data breach because of “renamed files and associated ‘DECRYPT-FILES.txt’ located in the same folder as encrypted files.”
For the next three days, the company remained busy inspecting the scope of a security breach and recovering the lost data. The company was able to contain the infection and identified that it mainly targeted some of ST Engineering’s US commercial operations.
Although it is unclear exactly what data was stolen, the breach may include exclusive contract details the company has signed with different governments, organizations like NASA, and airlines including American Airlines.
Moreover, the leaked data may also include sensitive data such as project implementation plan details, timelines, schedules, type of parts/equipment, and financial records. Hackread.com has seen the sample data leaked by the group but did not access or analyze it.
Maze ransomware operators claim that before deploying the payload and encrypting the company’s servers, they stole 1.5tb of unencrypted data to pressurize VT SAA into paying the ransom.
When the attack was discovered, VT SAA immediately responded by taking certain systems offline, initiating investigation with the help of leading forensic advisors, and notifying law enforcement authorities.
Nevertheless, MAZE ransomware can be embedded into phishing emails and as soon as it infects the machine it starts the file encryption process, and attackers demand a ransom. In case their demands are not met the group starts leaking data.