Boeing back on LockBit ransom list after confirming cyber incident

In yet another twist to the alleged Boeing ransomware attack, the global aerospace technology and defense contractor was put back on LockBit's victim leak site Thursday – and then taken off again barely an hour later.

The Russian-linked ransomware group claimed The Boeing Company on Friday, October 27th, as its latest victim, posting the company on its dark leak site that day with a November 2nd deadline to contact LockBit or it would publish a "tremendous" amount of stolen data.

By Tuesday, October 31st, any reference to the Boeing ransom attack claim and the given deadline mysteriously vanished off LockBit’s site.

Then today, Thursday, November 2nd, at 12 noon ET, Boeing and its logo were back up on LockBit’s page along with an alleged sample of 4GB of the company's data but only briefly.

The LockBit posting, first reported on X by cyber intelligence researchers, showed a snapshot of the ransomware gang's dark web blog, claiming that it would “publish 500GB of the organization's data in the coming days.”

LockBit’s countdown clock to publish was at 27 minutes and 21 seconds at the time of the post.

Mysteriously, an hour later Boeing again disappeared from LockBit’s page, leading us to believe that negotiations, which may have possibly stalled, were back on between the two entities.

In an unprecedented move, LockBit originally gave Boeing only six days to make contact, while typically ransomware victims are given ten days to reach out to cybercriminals, according to the malware researchers at vx-underground,

The researchers also revealed that LockBit said it breached Boeing via a zero-day exploit, but did not say which vulneravility it was able to take advantage of.

The ransom gang, who had not revealed until now how much sensitive data it had exfiltrated, also previously said on its site it would not post any samples of Boeing's stolen data to "protect" the global jetliner manufacturer with over 150,000 employees worldwide.

Meanwhile, Boeing, who had stated to Cybernews that Friday it was “assessing” the situation, later confirmed to our team on November 1st that it was “aware of a cyber incident impacting elements of our parts and distribution business.”

A company spokesperson said it was “actively investigating the incident and coordinating with law enforcement and regulatory authorities.”

Boeing added that it was notifying customers and suppliers of its global services division and that the incident did not affect flight safety.

Who is LockBit?

The LockBit group was first clocked by security insiders sometime late 2019. Since then, the gang has topped many lists in terms of victimized organizations.

The threat actors are said to have executed over 1,400 attacks against victims in the US and around the world, including Asia, Europe, and Africa .

The gang’s evasive ransomware variant LockBit 3.0 shares similarities with two other Russian-linked ransomware; BlackMatter and BlackCat (ALPHV/BlackCat), according to the US Department of Justice.

The group is also said to have made tens of millions of dollars off its victims in actual ransom payments collected in Bitcoin.

Security research reports from this past August suggest that the group may be having management issues that have caused a breakdown in LockBit’s criminal operations.

The suspected rupture resulting in LockBit’s over-reliance on empty threats and its fierce reputation as a substitute for taking real action against its victims.

This may also explain the inconsistency in how the ransomware group has been handling Boeing, a company whose net worth as of last week was listed by Forbes as over $110 billion.