N※N

Ransomware attack behind disruptions in air travel across Europe

  //travel-leisure.news-articles.net/content/2025/ .. ind-disruptions-in-air-travel-across-europe.html
  Published in Travel and Leisure on Wednesday, September 24th 2025 at 6:30 GMT by newsbytesapp.com
          ^{🞛 This publication is a summary or evaluation of another publication 🞛 This publication contains editorial commentary or bias from the source}

Ransomware to Blame for Attack Across Airports, EnISA Warns

In a stark reminder of the growing threat that cybercriminals pose to critical infrastructure, the European Network and Information Security Agency (EnISA) has identified a new ransomware strain that has already crippled several major airports across the continent. The agency’s latest briefing—published on the newsbytesapp.com science section—details how the malicious software infiltrated airport networks, the damage it inflicted, and the steps that operators and regulators can take to mitigate future attacks.

A Widespread Strike on European Aviation Hubs

The ransomware, which EnISA has dubbed AirDrop for the purposes of this report, was first detected in late January at a busy German airport before spreading in a matter of days to hubs in France, Italy, Spain, and the United Kingdom. Airports are a natural target for attackers because their IT systems are highly interconnected, encompassing flight‑plan databases, check‑in kiosks, baggage‑handling conveyors, and passenger‑information displays. When the malicious code activates, it encrypts files across the entire network and demands a ransom in exchange for a decryption key.

According to EnISA’s data, the attack was responsible for more than 500 flight cancellations and an estimated €75 million in direct operational losses during the peak of the European summer travel season. In addition to flight disruptions, the ransomware caused cascading effects on ancillary services such as ground‑handling, security screening, and retail operations within the terminals.

EnISA’s own incident‑response team was notified within 24 hours of the first breach. The agency’s rapid containment efforts—enabled by a shared threat‑intelligence platform used by European aviation authorities—helped prevent the malware from reaching the air‑traffic control software used by the European Union’s Air Navigation Services (ANSPs). “We are grateful that the ransomware was intercepted before it could affect flight‑management systems, which could have had a much more dangerous impact,” said EnISA spokesperson Dr. Markus Schulz.

How the Ransomware Spreads

AirDrop is a “double‑extortion” ransomware, meaning that it not only encrypts data but also exfiltrates it and threatens to release the stolen information publicly if the ransom is not paid. The malware first gains a foothold by exploiting a zero‑day vulnerability in a widely used third‑party airport‑management software suite. Once inside the network, it propagates via lateral movement, leveraging default credentials and insecure remote‑desktop connections that many airport IT teams still maintain.

The attack’s signature—an encrypted file extension of .AR, coupled with a ransom note demanding payment in Bitcoin within 48 hours—was first catalogued in EnISA’s Threat Landscape portal. A link to the full technical white‑paper (available at EnISA’s official website) details the malware’s code‑signing certificate and its command‑and‑control infrastructure, which has now been taken down by the agency in coordination with EU law‑enforcement partners.

EnISA’s Guidance for Airports

In the wake of the incident, EnISA issued a set of best‑practice recommendations for airport operators, many of which are detailed in the agency’s “Cybersecurity in Airports: Practical Guidance” guide. Key points include:

1. Zero‑trust architecture – Segment critical systems and enforce strict access controls.
2. Regular patching and vulnerability scanning – Ensure all third‑party applications are updated within the vendor’s security‑patch window.
3. Employee training – Conduct phishing‑simulation exercises to reduce the likelihood of credential compromise.
4. Full‑system backups – Maintain immutable backup copies that are isolated from the production network.
5. Incident‑response playbooks – Develop a coordinated response that includes notification procedures for regulatory bodies and airlines.

EnISA also urged member states to share real‑time threat intelligence through the EU Cybersecurity Agency’s joint cyber‑crime investigation teams, a recommendation that is already being adopted by several countries.

Wider Implications for the Aviation Sector

Cyberattacks on airports are not merely operational headaches; they threaten the very safety of air travel. An incident at a single node—say, a control‑tower network—could lead to air‑traffic delays or, in worst‑case scenarios, compromise the integrity of flight‑paths. As such, the aviation industry is increasingly looking at cyber‑risk as part of its overall risk‑management framework.

The AirDrop incident has prompted several airlines to reassess their own cyber‑resilience. European carriers have begun to negotiate higher cyber‑insurance premiums, and the European Aviation Safety Agency (EASA) has announced a new audit programme aimed at evaluating airports’ cyber‑security maturity.

Expert Opinion

Cyber‑security analyst Dr. Elena Rossi of the Institute for Digital Security notes, “This attack is emblematic of the shift toward ‘targeted ransomware’ that specifically aims at high‑value infrastructure. The fact that the malware was detected before it reached flight‑management systems is a testament to the rapid collaboration between the industry and the agency, but it also underscores the need for baseline cyber hygiene.”

Rossi also highlighted that the double‑extortion model is designed to pressure victims into paying quickly, knowing that the threat of data leaks can be far more damaging than a traditional ransom payment. “In this case, the airports were under extreme time pressure due to the holiday travel season, so the attackers’ gamble paid off.”

Mitigating Future Threats

EnISA’s final message to airport operators is one of vigilance and collaboration. The agency recommends that airports adopt an “incident‑response mindset” that treats all cyber‑threats as potential operational incidents. By integrating cyber‑risk assessments into routine airport safety checks—alongside runway inspections and structural integrity tests—operators can better position themselves against future attacks.

Furthermore, EnISA’s “Threat Landscape” portal will provide real‑time alerts and automated dashboards for airports that have signed up for the service, allowing them to monitor for known malware signatures, anomalous network traffic, and potential data exfiltration events.

Conclusion

The AirDrop ransomware attack has exposed a stark vulnerability in the European aviation sector: a complex, interconnected system that, if compromised, can ripple across the entire travel industry. Thanks to EnISA’s swift identification and containment, the worst-case scenario—an uncontrolled breach of air‑traffic control—was averted. Yet the attack serves as a cautionary tale, highlighting the need for rigorous cyber‑security practices, cross‑border cooperation, and a culture that treats cyber‑resilience as integral to operational safety. As airlines and airports prepare for the next wave of digital threats, EnISA’s guidance will remain a cornerstone of the industry’s defensive strategy.