The UK’s National Crime Agency has arrested a suspect linked to a ransomware attack that is causing widespread disruptions across European airports.
The NCA stated that the arrest was made following an investigation into the cyberattack that impacted Collins Aerospace’s Multi-User System Environment (MUSE) passenger processing software.
“NCA officers, supported by the South East ROCU, arrested a man in his forties in West Sussex yesterday evening on suspicion of Computer Misuse Act offences,” the law enforcement agency said in a Wednesday press release.
“Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing,” Paul Foster, head of the NCA’s National Cyber Crime Unit, added.
While the investigation is ongoing, the suspect has since been released on conditional bail, according to an NCA statement.
RTX Corporation (formerly Raytheon Technologies), the owner of Collins Aerospace, which employs over 186,000 people worldwide and has reported revenues of over $80 billion last year, has confirmed that a MUSE ransomware attack is causing disruptions at European airports.
“This software enables multiple airlines to share check-in and gate resources at airports, including baggage handling. The MUSE airport systems operate outside of the RTX enterprise network, residing on customer-specific networks,” RTX said in a filing with the Securities and Exchange Commission (SEC) on Wednesday.
The ransomware attack was detected on Friday, September 19, when the first reports of flight delays emerged, and has caused a wave of flight cancellations and delays.
The list of airports experiencing technical difficulties includes Heathrow in London, Brussels Airport, Cork and Dublin airports in Ireland, Berlin Brandenburg Airport, and many others.
“Upon detecting the incident, the Company activated its incident response plan and promptly took steps to assess, contain, respond to and remediate the incident. The Company is diligently investigating the incident with the assistance of internal and external cybersecurity experts and has notified domestic and international law enforcement authorities and certain other government agencies,” RTX added.
“The Company is also communicating with its customers and other stakeholders and providing technical support and guidance to affected airlines and airports. Our customers have shifted to back-up or manual processes and have experienced certain flight delays and cancellations.”
While RTX didn’t share any other details regarding the incident, cybersecurity expert Kevin Beaumont says the attackers used an “incredibly basic” ransomware variant called Hardbit.
However, BleepingComputer has not been able to independently verify this and has received information from other sources indicating that Loki ransomware was deployed in the attack.
These ransomware variants are typically used in smaller attacks that do not have a widespread impact, making their use unusual in this situation. However, they are both Ransomware-as-a-Service programs, allowing any affiliate to use them.
