If you’re in San Antonio (like we are), you likely recognize the reddish-orange buildings of VT San Antonio Aerospace (VT SAA) at the airport. Globally, they’re known for aircraft maintenance, repair, overhaul, and modification for airlines like United and American Airlines, among others. Now, we also know VT SAA as another victim of the Maze Ransomware group. This same group hit multiple targets including the city of Pensacola and two major IT service firms, Cognizant and Conduent.
VT San Antonio’s Statement
On June 5, VT San Antonio Aerospace posted a statement regarding the incident on their website. Ed Onwe, Vice President and General Manager stated, “Upon discovering the incident, the Company took immediate action, including disconnecting certain systems from the network, retaining leading third-party forensic advisors to help investigate, and notifying appropriate law enforcement authorities.”
What Maze Did
After breaching the VT SAA network, they stole 1.5 TB of unencrypted files. The Maze group posted information about the attack on their data leak site. As proof, a mere 50 MB (about 100 documents) was leaked on this site. These documents consisted of financial information, various contracts, proposals, and even expired NDAs.
At this point, the Maze group then deployed ransomware and began encrypting servers at VT San Antonio. This procedure follows the typical modus operandi for all of their attacks so far. They steal data, encrypt systems, and then use the stolen data as leverage for a ransom payment.
Details of the Attack
The Maze group included the IT Manager’s memo of the attack and how it occurred. The initial breach stemmed from a compromised administrator account. This account was used to connect to one of VT SAA’s servers via Remote Desktop. From there, they compromised the default domain administrator account. This granted access to domain controllers, intranet servers, and file servers for two different domains.
Due to the size of the breach and the nature of the leaked files, VT San Antonio will have to disclose the incident to all affected parties. This could include both employees and clients.
Are You Prepared for Ransomware?
This particular attack hits close to home for us. Generally, cyber attacks in San Antonio don’t make the news. For every attack that makes the news, many, many more go unreported. Even for small businesses, it’s a matter of when your organization is attacked… not if.
Do you need help creating a ransomware recovery plan? Pit Crew IT Services can assist with that process. We help organizations of all sizes. Simply request a consultation below and protect your organization for the future.