Boeing confirmed that the LockBit ransomware gang attack in October 2023, which impacted certain parts and distribution operations of the company, carried a staggering $200 million cyber extortion demand from the cybercriminals, to not publish leaked data. Boeing on Wednesday acknowledged that it is the unnamed “multinational aeronautical and defense corporation headquartered in Virginia,” which is referenced in an unsealed indictment from the U.S. Department of Justice that unmasked the LockBitSupp administrator. Boeing did not provide an immediate response to The Cyber Express' inquiry seeking confirmation of this news, which was initially reported by Cyberscoop. The indictment in question singled out Dmitry Yuryevich Khoroshev as the principal administrator and developer behind the LockBit ransomware operation, as part of a coordinated international effort that included sanctions from the U.S., the U.K., and Australia. Boeing has not provided confirmation on the negotiations and if the company paid any ransom in exchange of the massive $200 million cyber extortion demand.

Boeing Cyber Extortion Saga

LockBit first listed Boeing as its victim on October 27 and set a ransom payment deadline for November 2. Boeing had chosen not to provide any comments or statements regarding the incident, at that time, leaving the LockBit claims unverified. Three days later LockBit took down Boeing’s name from the victims’ list fueling further speculations that it was a hoax or the company likely paid ransom. Following this incident, Boeing eventually confirmed falling victim to LockBit’s cyberattack. But as ransom negotiations reportedly failed, LockBit re-listed Boeing on its leak site and threatened to publish 4 gigabytes of sample data as proof of the Boeing data breach. The post also warned that, “All available data will be published!” in coming days. Following on the threat, LockBit published more than 40GB of data on November 10, as the company likely did not agree to pay the ransom demand. Boeing is yet to address the stolen data publicly.

Ransom Demands Getting Exorbitant

The indictment's reference to the unnamed company highlights the exorbitant ransom demands made by Khoroshev and his cohorts, totaling over $500 million in ransoms extorted from victims since late 2019. Of this, he got nearly $100 million from a 20% share on the ransom payments, which was further “used to continue funding the LockBit operation and its infrastructure.” Ransomware analysts are now calling the Boeing cyber extortion as one of the largest ransom demands from a ransomware gang till date. Researchers suspects LockBit likely made an inflated demand, without realistic expectations of receiving the full amount, merely to test the waters. Between September 2019 and February 2024, Khoroshev grew LockBit into a massive global criminal operation in which along with his affiliates he attacked approximately 2,500 victims, which included nearly 1,800 in the U.S. alone, the indictment said. Apart from Boeing LockBit’s victim list also contains law enforcement agencies, security firms, municipalities, schools, financial institutions and even multinational fast-food chains.

Who is LockBit Ransomware Gang?

The LockBit ransomware gang emerged in 2019, primarily targeting thousands of global companies, with a focus on those headquartered in the United States. Linked to Russian entities, LockBit has amassed tens of millions of dollars in ransom payments since its inception. According to the Cybersecurity and Infrastructure Security Agency (CISA), LockBit has executed over 1700 attacks in the United States, often by compromising and threatening to release sensitive data for financial gain. The recent Boeing data breach highlights the persistent threat posed by cyberattacks to major corporations. LockBit's aggressive tactics and specific targeting of Boeing, a key player in aerospace and defense, highlight the urgent need for robust cybersecurity measures. The ransomware group's imposed deadline heightens the urgency, highlighting the severe consequences of data breaches and the critical importance of safeguarding sensitive information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Over a million Australians who frequented pubs and clubs have likely had their critical information exposed in Outabox data breach, a third-party content management and data storage provider for the hospitality and gaming sectors in the New South Wales and the Australian Capital Territory. According to the Outabox official website, the company founded in 2017 provides several services to clients in the gaming and entertainment industry across Australia, Asia and the US. Outabox confirmed the breach and said it likely took place “from a sign in system used by our clients.” It did not respond to any further requests for details on what type of data was likely impacted. The company has a facial recognition kiosk called TriAgem, which is deployed at entry points of clubs to scan patrons’ temperatures (used in post-covid days) and verify their membership on entry. Outabox did not confirm if this data was also impacted in the data breach incident.

“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation. We will provide further details as soon as we are able to,” Outabox said.

Australia’s National Cyber Security Coordinator said the government is coordinating a response in the Outabox data breach incident with local authorities in the NSW and ACT. “I know this will be distressing for those who have been impacted and we are working as quickly as we can, alongside Outabox, to ascertain the full scale of the breach,” said Lieutenant General Michelle McGuinness, who recently took over the role of the National Cyber Security Coordinator. The NSW government acknowledged that it was aware of the incident and was “concerned” of the potential impact on individuals. “We encourage clubs and hospitality venues to notify patrons whose information is affected,” it said.

NSW’s West Tradies Sends Breach Notifications

One such club, West Tradies, has issued a breach notification to its customers saying its external IT provider was “a target of a cyber extortion campaign.” It added that, “At this stage, we do not know if all patrons, or only some patrons, have been affected.”

“On the evening of 29 April 2024, we were formally notified by the external IT provider that it has been the target of a “cyber extortion campaign” and that an overseas third party is threatening to release personal information unless their demands are complied with,” West Tradies Club said.

All registered clubs in New South Wales are required to keep certain information about members and guests under the Registered Clubs Act. Clubs are also required to keep certain information to comply with their responsible gambling and Anti-Money Laundering and Counter-Terrorism Financing obligations. To comply with these norms, West Tradies, used an external IT provider that would assist in keeping these records and operate its systems, it clarified.

More than 1 million Impacted in Outabox Data Breach?

A website that claims to allow people to search their names in the leaked database appeared on the open internet recently. The domain haveibeenoutaboxed[.]com, appears to be similar to a service provided by another Australian data leak search provider but it does not claim any links to it. The information posted on this website claims that facial recognition biometric, driver license scans, signature, club membership data, address, birthday, phone number, club visit timestamps, and slot machine usage is included in this data set. There are allegedly 1,050,169 records in the leaked data set and a simple name search shows redacted details of the patrons of different clubs. Majority of personally identifiable information has been removed at this stage.

Unpaid Overseas Developers the Cyber Extortionists?

The data leak search website is allegedly controlled by an offshore development team in the Philippines. Outabox hired offshore developers from the Philippines to create software systems that are installed at casinos and nightclubs across several countries. However, after a year and a half of work, the developers were abruptly cut off and left unpaid by Outabox, the owner of the leak site claimed. “While this outsourcing strategy is common in the industry, what followed was far from standard practice. The developers were granted unrestricted access to the back-end systems of gaming venues, including access to raw data,“ the leak site stated. Douglas Kirkham, the chief executive officer of West Tradies said “the Club was unaware that any data held by the Club had been disclosed to any third parties or that it had been disclosed overseas. If the allegations are true, those actions were taken without the Club’s knowledge or consent.”

“The Club did not authorise, permit, or know that the external IT provider had provided any information obtained from the Club to third parties.”

The Office of the Australian Information Commissioner has advised it has been notified by some impacted entities and is expecting to receive further notifications. Nearly 20 clubs have been listed on the leak site. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.