Was It Possible To Prevent the 5$ Million Biman Ransomware Attack?


4 min read

Biman Bangladesh Airlines, the national flag carrier of Bangladesh, was the victim of a cyber-attack that compromised its email server and disrupted its internal communication. The hackers have reportedly demanded $5 million in ransom for restoring Biman's access to its email server and threatened to publish sensitive information about passengers and employees online.

The cyber-attack occurred on March 17, 2023, when the hackers used a unique malware called "Zero Day Attack" to take over Biman's email server. The hackers sent a message that read "Hello" with a yellow, parallelogram-shaped logo. The next day, they demanded the ransom by Monday, March 27. The hackers sent another message on March 21, threatening to release 100 gigabytes of personal and confidential information if the ransom was not paid by the deadline.

Biman confirmed the ransomware attack on March 23 in a press release and said it had lodged a general diary with the police and taken necessary measures. A probe body has been formed to investigate the incident and the possible involvement of Biman employees who have recently been accused of corruption and irregularities.

State Minister for Civil Aviation and Tourism M Mahbub Ali has denied that Biman has suffered much damage from the cyber-attack or that any sensitive data or information has been leaked. He said he had spoken with the managing director of Biman and that steps would be taken to prevent such incidents in the future.

Biman Managing Director and CEO Shafiul Azim have also said that Biman's operations and activities have not been affected by the cyber-attack and that they did not have any information on a ransom demand.

However, sources from the Digital Security Agency and the Civil Aviation Ministry have furnished documents that suggest hackers are demanding $5 million in ransom and have threatened to publish flight, passport, and other information of passengers and Biman employees on an online blog if they did not receive the ransom by Monday. Some sources have also claimed that Biman may have already negotiated with the hackers.

Ransomware is a type of malware that threatens to either permanently prevent access to the server or to disclose the victim's personal data unless a ransom is paid. It is not clear how the hackers were able to launch the attack or what security measures Biman had in place to protect its email server.

As there was no record of salaries after the cyber-attack, Biman disbursed salaries to its employees based on the previous month's receipt.

According to officials, flight operations have not been affected since the Biman authorities are in regular contact with their pilots by personal email and WhatsApp.

As a result, Biman's ticket sales for international flights fell almost 20% in March, which is partially attributable to a down server.

What Precaution Biman Could Have Been Taken Before the Cyber-Attack?

According to the cyber security experts, some of the precautions that Biman Bangladesh could have taken before the cyber-attack are:

  • Never click on unverified links in spam emails or on strange websites, as they could initiate a malware download.

  • Scan emails for malware and use firewalls and endpoint protection to block malicious traffic.

  • Only download from trusted sites and avoid using unfamiliar USB devices that could contain malware.

  • Keep backups of important data and store them offline or in a separate network.

  • Use security software and update it regularly to detect and remove ransomware and other threats.

  • Implement a zero-trust approach and assume breach, which means verifying every request and limiting access to sensitive data and systems.

  • Educate employees and customers on how to recognize and report ransomware and other cyberattacks.

  • Create an incident response plan and test it regularly to ensure a coordinated and efficient recovery from a ransomware attack.

How MeghOps Could Prevent This Type of Cyber-Attack?

MeghOps is a cloud security posture management (CSPM) product that helps organizations to monitor and manage their cloud security posture across multiple cloud platforms. MeghEye is an attack surface management (ASM) module that is integrated with MeghOps and provides continuous visibility and assessment of the external attack surface of an organization.

MeghEye could have prevented the ransomware attack on Biman’s email server by:

  • Discovering and mapping all the exposed assets and services of Biman’s cloud infrastructure, such as email servers, web servers, databases, storage buckets, etc.

  • Identifying and prioritizing the vulnerabilities and misconfigurations of these assets and services, such as weak passwords, outdated software, open ports, etc.

  • Providing actionable recommendations and remediation steps to fix these issues and reduce the attack surface.

  • Alerting and notifying Biman’s security team about any changes or anomalies in the attack surface that could indicate a potential breach or compromise.