Everest Ransomware Claims Responsibility for European Airport Chaos

The Everest ransomware group has claimed responsibility for the attack on Collins Aerospace, which caused widespread disruption of passenger check-in systems across major European airports in September. The attackers allege they gained access to 50 gigabytes of data and issued a ransom ultimatum, though no evidence of data leakage has yet been presented.

Collins Aerospace, a subsidiary of Raytheon Technologies (RTX), has been added to Everest’s victim list on the group’s darknet portal. The post consists of five sections with titles such as “MUSE-INSECURE: Inside the Security Failure of Collins Aerospace” and “FTP Access List.” The final segment, titled “News for CEO,” is addressed to the company’s leadership—presumably Collins Aerospace President Stephen Timm or RTX CEO Christopher Calio. Observers report that the attackers provided a password granting access to a private message. A countdown timer, launched on October 14, initially gave the company 24 hours before data exposure; however, by October 18, Everest extended the deadline by another eight days, suggesting that negotiations between the parties may be underway.

The incident itself occurred on September 19, when Collins Aerospace experienced a failure in its Arinc cMUSE software, used by dozens of airports worldwide for passenger check-in and boarding. The disruption was first reported at Heathrow Airport, followed shortly by Brussels, Berlin, Dublin, and Cork. Self-service check-in kiosks became inoperable, forcing staff to switch to manual processing. The European Union Agency for Cybersecurity (ENISA) later confirmed that the outage had been caused by ransomware. At Heathrow alone, approximately 1,000 computers were “damaged” and required manual recovery.

The incident once again underscored the vulnerability of aviation infrastructure to ransomware attacks. According to RTX, the disruption was confined to check-in and baggage handling zones, but its impact lasted several days, affecting thousands of flights and hundreds of thousands of passengers. Everest claims to have stolen over 50 gigabytes of corporate data, yet—unlike other ransomware groups—it has not released any samples, making independent verification of its claims difficult.

In recent years, the aerospace and defense sectors have repeatedly become targets of cyberattacks. In August, the Play group struck Jamco Aerospace, a U.S. Navy supplier; in January, INC Ransom claimed responsibility for breaching Stark Aerospace; and at the end of 2023, LockBit disrupted operations at Boeing. Beyond defense contractors, ransomware groups have also targeted airlines, including Germany’s FAI Aviation Group, Canada’s WestJet, Hawaiian Airlines, Alaska Airlines, and Australia’s Qantas.

Active since 2021, the Everest group is known for a string of high-profile attacks on AT&T, BMW, Allegis Group, Mailchimp, Crumbl, and Radisson. According to Ransomlooker, the group has disclosed information on 248 victims since 2023—over a hundred of them in the past year alone. Everest is also believed to have ties to another notorious cybercrime network, BlackByte.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy