The recent cyberattack aimed at aerospace and defense company Collins Aerospace, which has caused significant disruptions at major airports in Europe, reportedly involved a piece of ransomware known as HardBit.
The HardBit ransomware emerged in October 2022 and it came into the spotlight a few months later when it emerged that the cybercriminals were willing to negotiate ransom amounts based on their victims’ cyberinsurance policy. Not much has been reported on HardBit since.
Cybercriminals are using HardBit ransomware to encrypt files on compromised systems and they claim to steal data from victims but, unlike many other ransomware operations, they do not appear to have a website where they name victims and leak stolen data.
The EU cybersecurity agency ENISA revealed on Monday that the airport disruptions were the result of a ransomware attack, but did not share additional details.
Cybersecurity expert Kevin Beaumont reported on Tuesday that the attack involved a variant of HardBit, which he described as “incredibly basic”. Beaumont learned from sources that Collins Aerospace has been having difficulties removing the malware, with devices becoming reinfected following cleanup attempts.
The BBC reported earlier this week that over one thousand computers may have been impacted and that Collins had found the hackers still inside its network after it rebuilt and relaunched systems.
Ransomware expert Dominic Alvieri told SecurityWeek that his sources also confirmed the involvement of HardBit in the attack. However, the researcher pointed out that the HardBit ransomware is offered under an affiliate program and anyone could have used it to target Collins Aerospace.
Alvieri also pointed out that some HardBit affiliates have been known to use the Mimic ransomware as well, which can complicate attribution. However, the expert does not believe that to be true in this case.
Alvieri also told SecurityWeek that the notorious ransomware group BianLian targeted Collins Aerospace back in 2023, claiming to have stolen employee personal information, operational information, and corporate files. BianLian has not been active since March 2025, but there is a possibility that it left a backdoor on Collins systems during the 2023 intrusion.
There was some indication earlier this week that the notorious ShinyHunters hackers may have been involved. Scattered Spider, which is linked to ShinyHunters, is known to have targeted the aviation industry.
The BBC learned from the UK’s National Crime Agency (NCA) on Wednesday that a 40-year-old man was arrested in West Sussex as part of an investigation into the Collins Aerospace cyberattack.
The suspect was arrested on Tuesday evening, but was later released on bail. NCA representatives said the investigation is still in early stages.
UK authorities recently arrested two Scattered Spider suspects. One of them has been charged in the United States over critical infrastructure hacking.
The cyberattack on Collins Aerospace, which provides check-in and boarding systems, has impacted major airports in the UK, Germany, and Belgium, including London Heathrow, Brussels Airport, and Berlin Brandenburg.
Delays and flight cancellations have been reported by the impacted airports, with disruptions extending into Wednesday. FlightRadar24 at the time of writing is still showing a significant percentage of delayed departures at the affected airports.
Related: Air France, KLM Say Hackers Accessed Customer Data
Related: Cyberattack On Russian Airline Aeroflot Causes the Cancellation of More Than 100 Flights
