Ransomware Group Everest Takes Credit for Collins Aerospace Breach

Everest, the ransomware group behind the air travel disruptions across Europe in September, says it will begin publishing data stolen in the attack.

 

In September, Collins Aerospace was a target of a significant ransomware attack that disrupted its ARINC Multi-User System Environment and the vMUSE self-service software platform used for electronic check-in, baggage management, and boarding at several major European airports, including London Heathrow, Berlin Brandenburg, Brussels, and Dublin.

 

The attack, first detected on September 19, 2025, caused widespread flight delays and cancellations as airport staff had to resort to manual check-in and baggage procedures. The European Union Agency for Cybersecurity (ENISA) confirmed that ransomware was responsible for the outage. The UK’s National Cyber Security Centre (NCSC) worked with Collins Aerospace, the Department for Transport, and law enforcement to assess the situation.

 

Following the incident, Britain’s National Crime Agency (NCA) arrested a man in West Sussex on suspicion of offences under the Computer Misuse Act linked to the ransomware attack. The suspect was later released on conditional bail, and the investigation remained ongoing.

 

While Collins Aerospace did not disclose the identity of the hackers, recently, the Everest ransomware group claimed responsibility for the cyber attack, listing the aviation service provider as a victim on its data leak site. The group said it plans to release several tranches of data allegedly exfiltrated during the incident soon.

 

According to International Cyber Digest, “Collins Aerospace was targeted by two ransomware gangs simultaneously, unaware of each other.

 

“After Everest exfiltrated data from an FTP server, another ransomware operator targeted the MUSE system and deployed ransomware.”

 

While Everest accused Collins Aerospace of deliberately shutting down systems for an insurance claim, analysis by security firm Hudson Rock suggests that Collins Aerospace was actually hit by two separate attacks concurrently.

 

Britain’s National Crime Agency (NCA) arrested a man in West Sussex on suspicion of offences under the Computer Misuse Act linked to the ransomware attack. The suspect was released on conditional bail, and investigations remain ongoing. Collins Aerospace is yet to publicly disclose the full scope of the attack or whether sensitive data was compromised.