Passengers of major Indian airline SpiceJet were stuck on the tarmac for hours on Wednesday as the company recovered from a ransomware attack.

The company tweeted that a ransomware attack had affected “certain SpiceJet systems” and “impacted [its] flight operations”.

“While our IT team has to a large extent contained and rectified the situation, this has had a cascading effect on our flights leading to delays,” SpiceJet said.

“Some flights to airports where there are restrictions on night operations have been cancelled.

“SpiceJet is in touch with experts and cyber crime authorities on the issue.”

Passengers naturally expressed their dismay on social media, including Indian politician Mudit Shejwar who chronicled his time on the tarmac through a series of tweets that began 80 minutes after boarding.

“The only communication is of some server down and issue with paper work for fuel,” he wrote. The total delay was around five hours before Mudit’s flight finally took off.

SpiceJet has had a horror week with its IT systems.

The airline has been operating on a ‘cash-and-carry’ scheme since 2020 when the Airports Authority of India (AAI) stopped accepting its credit to pay for airport costs.

Last Friday, SpiceJet failed to make these payments to the AAI after what a spokesperson told the Times of India was “a technical glitch in SAP”.

In response, the AAI grounded all of SpiceJet’s flights until the payments were made manually.

To add to its credit problems, SpiceJet now appears to have a serious cyber security problem on its hands, though the extent of the incident – whether SpiceJet paid the attackers to remove the ransomware or had data exfiltrated from its locked systems – is not publicly known.

Ransomware scourge

Overall, India is a big target for ransomware operators.

According to a recent survey from cyber security company Sophos, the average ransomware payment from Indian companies is the equivalent of nearly $1.7 million.

Australian organisations, for comparison, reported paying out an average of $320,000, while the global average is around $1.1 million.

Indian ransomware targets also reported one of the highest costs-to-rectify of those surveyed by Sophos, coming in at an estimated average cost of nearly $4 million per to fix a ransomware infection, while the global average is around half that.

Ransomware developers are also experimenting with alternative methods of payment from cryptocurrency, as the cyber security researchers at CloudSEK recently found with the ‘GoodWill’ ransomware strain.

Attackers using GoodWill ask demand victims to perform three “socially driven activities,” according to CloudSEK: donate clothes to the homeless, take five “less fortunate” children to a fast food chain, and provide financial assistance to people who need medical attention.

Victims are asked to record their acts of goodwill and post on social media saying how they have been transformed “into a kind human being by becoming a victim of a ransomware called GoodWill”.

“Our researchers were able to trace the email address, provided by the ransomware group, back to an Indian-based IT security solutions and services company, that provides end-to-end managed security services,” the CloudSEK report said.