Posted on December 5, 2020 at 4:04 PM

Helicopter Manufacturer Koper Becomes the Latest Victim of a Ransomware Attack

Helicopter manufacturer Kopter has become the latest victim of a ransomware attack, according to a recent report. Threat actors launched an attack on the company’s internal system and encoded files on the server. Some of the details of the compromised files were seen on the LockBit gang’s site, which is hosted on the Darknet.

Shortly after the hacking incident, the responsible threat actors contacted Kopter and requested a ransom to prevent having their data exposed online.

However, Kopter refused to cooperate with them, which forced the hackers to print several business documents online.

Many ransomware gangs are known for incorporating and discussing sufferer information on escape sites, which is a method they use to pressurize their victims into accepting their ransomware demands. They usually place the discussion on the board to make sure they come to the discussion table

The Kopter hacking detail was published on a site hosted on the shadowy net and operated by the LockBit ransomware group. Some documents shared on the site include internal jobs, business files, the defense industry, as well as various aerospace criteria. As a result of the nature of files shared on the site, some believe the hackers could have links with state governments.

The LockBit ransomware group said they exploited the helicopter manufacturing company’s network by exploiting a VPN alliance that made use of weak passwords that did not have two-factor authentication (2FA).

The LockBit group also reiterated that they have an internet portal in the dark when they were revealing the information about the ransom demands whenever they hack any business.

Kopter did not respond to the ransom request

According to LockBit operators, someone from Kopter was invited to the ransom webpage, but the firm refused to participate in the conversation when the hackers opened the conversation channel for them.

As of the time of writing, Kopter has not revealed the hacking incident to the public or sent messages to inform all affected customers yet.

Even when the company was reached via telephone calls yesterday, it wasn’t answered.

Kopter was founded in 2017 and is based in Switzerland. The manufacturer is widely known for its manufacture of a wide range of small and medium-class civilian helicopters.

Kopter was recently acquired by the maker of Agusta, Rome-based “Leonardo Finmeccanica.

A porous security system

For the past few months, Kopter has been undergoing several organizational changes, as it appointed a new chief executive officer three weeks ago. As a result of the change, they were preoccupied to be completely ready for a ransomware attack on their systems.

The hackers took advantage of the changes currently witnessed in the organization to strike, as the hackers used sophisticated tools that were difficult to spot and defend against.

LockBit revealed that it exploited Kopter’s VPN solution to break into the company’s system. However, the cracked password was fairly weak since there wasn’t two-factor authentication on any of the passwords.

As a result, they didn’t need to bypass it. Although the hackers used a sophisticated approach, the slack security system of Kopter at the time gave the hackers more room to explore successfully, as researchers have observed.

Launching a data leak site

Ever since the LockBit ransomware gang resurfaced, they have been very busy. In September, they launched a new data leak website which will be used as part of their double extortion strategy to make victims panic to pay the ransom.

Since the end of last year, ransomware groups started using the double extortion strategy for stealing encrypted files before they encrypt the files on a network.

Cybersecurity company KELA posted shared a link to show the new data leak site of the LoCKBit ransomware gang.

The site has also been loaded with some files firm their recent victims, which include a shipping company and an auto parts manufacturing company.

This is not the first time LockBit is launching a leak site. Their initial leak site was shut down before they joined the Maze Cartel, which they began using for their leaked data publication.

However, it seems the ransomware gang may be breaking away from the Maze Cartel to establish their independent site.

Ransomware attacks have become one of the most dangerous cyber attacks in recent times. That’s because the ransomware group can demand ransom after stealing data, and there’s no guarantee they will keep to their promise even after the ransom is paid.