The Aeropuerto del Centro Norte Group (OMA), which is responsible for the management of 13 airports in Mexico, including major airports such as Monterrey, Acapulco, Mazatlán, and others, has been the victim of a massive cyberattack. Although initially OMA stated that the incident did not severely affect its operations, the situation complicated when the attackers made a direct threat.
According to published information, the group of cybercriminals, called RansomHub, managed to access all of OMA's information technology infrastructure, encrypting crucial data and extracting a significant amount of sensitive information that includes financial reports, sales documents, accounting, and shareholder information. Additionally, they compromised personal data of employees, investors, and customers, such as addresses, contacts, passport scans, and confidential internal correspondence, including passwords, access credentials, and SQL databases essential for the company's operations.
RansomHub set a deadline for OMA to pay a ransom before November 2, 2024. If this demand is not met, they threatened to make all the stolen data public, initially contacting OMA's competitors and investors, starting with the financial firm BlackRock. Although they have shown some data as proof, most of the information has not yet been disclosed, maintaining pressure on OMA. This includes financial data, business evaluations, confidential agreements, communications with third parties, and details about OMA's previous collaboration with recognized cybersecurity companies.
Concerns are heightened by RansomHub's accusations of OMA employees' collaboration with criminal cartels, something that could severely affect the company's image and reputation. Cybersecurity specialists, such as Víctor Ruiz, have pointed out the importance of OMA implementing mitigation measures to prevent the exposure of its confidential information and have warned about the seriousness of the incident. The situation is further complicated given RansomHub's history, having attacked numerous organizations worldwide and claiming massive data intimidation.
With a Ransomware-as-a-Service model, RansomHub operates with affiliates who receive a percentage of the ransom payments and have rules that they must comply with. These states are key to the group's expansion and growth in the ransomware world. It is essential for OMA to seek advice from crisis management specialists, as even if it considers paying the ransom, the threat of disclosing sensitive information remains.
