Willis Lease Finance Corporation has admitted to US regulators that it fell prey to a “cybersecurity incident” after data purportedly stolen from the biz was posted to the Black Basta ransomware group’s leak blog.
The form 8-K filed with the Securities and Exchange Commission (SEC) on February 9 revealed the NASDAQ-listed company became aware of a potential break-in on January 31, prompting swift efforts to remediate things.
“An investigation into the nature and scope of the incident was launched with the assistance of leading third-party cybersecurity experts and the company took steps to contain, assess, and remediate the activity, including taking certain systems offline,” the filing reads.
“The company has not identified any unauthorized activity after February 2, 2024 and, as of the date of this filing, believes it has fully contained the unauthorized activity.”
Corp using ‘workarounds’ while systems offline
The jet engine leasing company admitted that some internal processes have required workarounds to be developed so that it can continue to operate and service customers, without providing any specifics about what those workarounds entail.
Willis also said it’s still working to determine the scope of the breach and whether any data was stolen or otherwise compromised. Law enforcement was informed of the break-in.
As is often the case with early-stage ransomware disclosures, the company appears to be reluctant to mention “ransomware” or even “attack” in its wording.
There remains the possibility that ransomware isn’t involved at all, but the passport scans sprawled across Black Basta’s website suggest the investigation into whether data was stolen needn’t drag on for too long.
The ransomware group claims to have stolen 910 GB worth of company data relating to customers, staff, HR, non-disclosure agreements (NDAs), and more.
Black Basta posted a sample of documents online, including a screenshot of the file trees its affiliate claims to have accessed, as well as various HR documents that revealed the social security numbers of what appear to be company staff across various divisions and seniority levels.
Also included are scans of NDAs, details of what look like leasing agreements between Willis and various major airlines, as well as roughly 40 scans of identity documents – mainly passports.
Cross-referencing the names on those identity documents with internet and social media searches resulted in numerous matches to staff mainly in the US and UK, with a smattering of other countries included too.
El Reg contacted the company’s comms team but has not received a response.
Willis Lease Finance has been in operation for more than 45 years and claims to be one of the longest-standing independent sellers and lessors of jet engines to major airlines in the world.
Black Basta is one of the most dangerous ransomware operations in the cybercrime world and has claimed attacks on major organizations such as Capita and more recently the UK’s Southern Water.
The group is assumed to be one of the many offshoots formed by members of the now-shuttered Conti group that disbanded in 2022, and since then has netted more than $100 million from victims. ®