Ransomware at Airports: How Attackers Target Aviation and What Operators Must Do

Why Aviation Is a High-Value Ransomware Target

Ransomware gangs conduct target selection based on ability to pay, pressure to recover quickly, and vulnerability to attack. Aviation scores highly on all three dimensions:

• Revenue loss is immediate and measurable: a grounded airline loses tens of thousands of pounds per hour per aircraft
• Operational complexity creates leverage: airports cannot easily switch to manual processes for all functions
• Legacy systems create attack surface: many airport and airline IT systems run on ageing infrastructure with limited patching cadence
• IT/OT convergence creates propagation risk: ransomware entering IT networks can reach OT systems managing baggage, ground equipment, and facilities
• Time pressure creates payment incentive: airlines facing passenger cancellations cannot sustain prolonged recovery periods
• Insurance and capital reserves make aviation operators able to pay significant ransoms

How Ransomware Enters Aviation Networks

The attack vectors for aviation ransomware follow the same patterns as other sectors but are amplified by aviation-specific factors:

• Phishing: Flight crew, ground handlers, and administrative staff are targeted with aviation-themed phishing — crew scheduling changes, safety notices, regulatory communications
• Supply chain: Third-party vendors with remote access to airport systems — baggage handling vendors, catering management, ground handling IT — provide an indirect entry point
• Exposed RDP: Remote desktop access used for operational management of airport and airline systems is frequently exposed and targeted
• Vulnerable public-facing systems: Booking portals, check-in kiosks, and web-facing management systems with unpatched vulnerabilities
• Insider threat: Ground staff and contractors with physical access to operational systems create additional risk vectors

OT System Risk: When Ransomware Reaches Operational Technology

The most severe aviation ransomware scenarios involve propagation from IT into Operational Technology (OT) networks — the systems managing physical airport operations. Baggage handling systems, airfield lighting, security screening management, boarding gate systems, and ground power units all run on industrial control systems that can be disrupted by ransomware. Unlike enterprise IT, OT systems often cannot be quickly rebuilt or restored, and some are safety-critical — meaning an operator cannot simply accept degraded OT operation while recovering. Network segmentation between IT and OT is the primary technical control preventing ransomware propagation into these systems.

Ransomware Response for Aviation Operators

Aviation-specific considerations for ransomware response planning include:

• Operational fallback procedures: Can the airport or airline continue operations in a degraded IT state? Manual check-in, paper manifests, and radio communications must be tested
• Regulatory notification: Major operational disruption must be reported to the CAA; personal data exposure to the ICO within 72 hours
• Passenger and commercial obligations: EU261/2004 and UK equivalent compensation obligations apply during ransomware-caused delays/cancellations
• Cyber insurance: Aviation ransomware events are significant — insurance cover must match operational scale and include ransomware-specific provisions
• Law enforcement: The NCSC and NCA should be notified for significant ransomware attacks; FBI and CISA for US-linked operations
• Recovery prioritisation: Flight operations systems, passenger processing, and safety systems should have defined recovery priorities

Frequently Asked Questions