The European Union Agency for Cybersecurity (ENISA) has confirmed that ransomware was used in the attack that disrupted airport systems across Europe, forcing airlines to fall back on manual check-in and boarding processes.
The attack, discovered on Friday night, targeted Collins Aerospace, a US software provider whose systems are widely used by airlines. Automatic check-in software was scrambled, affecting some of Europe’s busiest hubs, including London Heathrow, Berlin Brandenburg and Brussels Airport.
ENISA said the “type of ransomware has been identified” and that law enforcement is involved in the investigation. Criminal gangs are suspected of being behind the attack, which typically involves demands for bitcoin payments to restore compromised systems.
Internal crisis memos seen by the BBC showed that more than 1,000 computers may have been corrupted, with much of the recovery work requiring engineers to rebuild systems in person. Collins Aerospace initially relaunched its systems but later realised attackers were still inside the network, according to the documents.
At Heathrow, about half of the airlines were back online by Sunday, with British Airways running services via a back-up system. However, disruption continued in Brussels, where nearly 140 outbound flights were cancelled on Monday. Berlin also reported that some passengers were still being boarded manually.
Collins Aerospace has not provided a detailed explanation but said it was in the final stages of rolling out software updates to restore systems.
The UK’s National Cyber Security Centre said it was working with Collins Aerospace, affected airports, the Department for Transport and law enforcement to assess the impact.
Ransomware incidents have risen sharply in the aviation sector, with French aerospace firm Thales reporting a 600% increase in the past year. In April, UK retailer Marks & Spencer suffered a separate ransomware attack that cost at least £400m to resolve.