© Canary Trap 2024 All Rights Reserved
Share

Canary Trap’s Bi-Weekly Cyber Roundup

Canary Trap’s Bi-Weekly Cyber Roundup

Welcome to Canary Trap’s Bi-Weekly Cyber Roundup. Our mission is to keep you informed with the most pressing developments in the world of cybersecurity. This digest serves as your gateway to critical updates and emerging threats across the industry.

The past week has been marked by significant developments across the cybersecurity landscape. From ongoing fallout at WestJet following a still-unresolved cyberattack, to Ingram Micro’s scramble to recover from a ransomware incident, organizations continue to face serious digital threats. Meanwhile, a California jury has ordered Google to pay $314 million over unauthorized data transfers, phishing activity is surging via .es domains, and the notorious SatanLock ransomware group has abruptly shut down, threatening to leak stolen data on its way out. Here’s a roundup of this week’s top cybersecurity stories.

  • WestJet Says Cyberattack Remains Unresolved 1 Week in, but Operations Not Impacted

WestJet continues to investigate a cybersecurity incident that began late last week, with questions persisting around the nature and extent of the breach.

The Calgary-based airline, Canada’s second-largest carrier, confirmed that hackers gained unauthorized access to its internal systems. While operational functions have not been affected, the company has acknowledged that customers may experience occasional disruptions or errors when using its website and mobile application.

In a statement issued Friday, a WestJet spokesperson said the company is working closely with law enforcement agencies to investigate the incident. However, specific details regarding the type of cyberattack, such as whether it involved malware or ransomware, have not been disclosed.

The breach was first reported on June 13th, shortly before international dignitaries arrived for the G7 summit in Kananaskis, Alberta. At this time, no connection has been established between the attack and the summit.

WestJet stated in a recent update that it has made “significant progress in safeguarding our digital environment” and is continuing to support specialized teams working to fully resolve the issue. The airline emphasized that efforts are underway to determine whether any sensitive data or customer information was compromised.

The aviation sector has become an increasingly frequent target for cybercriminals due to the large volumes of personal and financial information it holds, coupled with its global infrastructure.

Other recent incidents underscore this trend. Japan Airlines suffered a cyberattack on December 26, disrupting more than 20 domestic flights during the busy holiday travel period. The airline quickly neutralized the threat and restored its systems without compromising flight safety.

Similarly, in September, the operator of Seattle-Tacoma International Airport was targeted in a ransomware attack in which hackers demanded US$6 million in bitcoin for stolen documents later posted on the dark web. The Port of Seattle declined to pay the ransom, according to officials.

WestJet reiterated its commitment to transparency and cybersecurity, stating: “We are working as quickly as possible to assess any potential data in scope.”

  • California Jury Orders Google to Pay $314 million Over Data Transfers from Android Phones

A California jury has ordered Google to pay $314 million in damages for collecting data from Android devices while they were connected to cellular networks, a practice that plaintiffs claimed constituted the unauthorized use of a paid resource.

The verdict, delivered on Tuesday by a jury in a Northern California state court, concludes a class-action lawsuit initiated in 2019. Plaintiffs alleged that Google could have deferred data collection until devices were connected to Wi-Fi networks, thereby avoiding imposing costs on users’ cellular plans.

According to the complaint, the data transmissions occurred without users’ knowledge or consent, often while devices were unused, such as in pockets, purses, or resting on nightstands overnight. The plaintiffs argued that Google utilized this information to support its business operations, particularly targeted digital advertising.

The lawsuit further claimed that these data transfers persisted even after users closed Google applications and were sometimes delayed until the devices connected to cellular networks. Plaintiffs alleged that users were not provided with a meaningful way to disable the transfers, stating:

“Because of Google’s deliberate design decisions, these passive information transfers using cellular data allowances purchased by plaintiffs are mandatory and unavoidable burdens shouldered by Android device users for Google’s benefit and convenience.”

The complaint also highlighted that Apple’s iOS platform allows users greater control over similar passive data transfers, resulting in less data being transmitted without user action.

In response to the verdict, Google stated: “We strongly disagree with today’s decision and will appeal. This ruling is a setback for users, as it misunderstands services that are critical to the security, performance, and reliability of Android devices.” Google emphasized that the data involved is essential to ensuring proper functionality for billions of Android devices globally and noted that the volume of data transferred is minimal, reportedly less than what is required to send a single photo. He also maintained that Android users consent to such transfers through terms of use agreements and device settings.

Plaintiffs, however, contested this assertion, claiming that Google’s design intentionally restricted users’ ability to opt out.

This case follows a separate legal matter concluded in May, in which Google agreed to pay over $1.37 billion to the state of Texas. That settlement resolved two lawsuits concerning Google’s collection of location data, biometric identifiers, and activity within its Incognito search feature. The lawsuits were filed in 2022 by Texas Attorney General Ken Paxton, who alleged the company unlawfully tracked users’ locations, voiceprints, facial data, and private browsing activity.

  • Ingram Micro Scrambling to Restore Systems After Ransomware Attack

IT distribution leader Ingram Micro has confirmed that a ransomware attack was responsible for the significant service disruptions experienced over the weekend.

As one of the largest global distributors of IT products and services, Ingram Micro proactively took certain systems offline on Friday afternoon in response to the incident. This led to widespread service outages, with customers reportedly unable to access management portals or place orders, as shared across several online forums.

On Saturday, the company issued a statement confirming ransomware as the root cause of the outage and outlined efforts to restore normal operations.

“Ingram Micro recently identified ransomware on certain internal systems. Upon discovery, the company immediately took action to secure its environment, which included taking systems offline and implementing additional mitigation measures,” the statement read.

“Ingram Micro is working diligently to restore affected systems in order to resume processing and shipping of orders. We sincerely apologize for the disruption this incident has caused our customers, vendor partners, and other stakeholders,” the company added.

At this time, Ingram Micro has not disclosed the method of intrusion or whether any sensitive data was compromised. While the organization has not publicly attributed the attack to a specific threat actor, reports suggest the SafePay ransomware group has claimed responsibility, alleging the theft of data from Ingram Micro’s systems.

  • Massive Spike In Use Of .es Domains For Phishing Abuse

Cybersecurity researchers have observed a dramatic rise in the exploitation of Spain’s country-code top-level domain (ccTLD), .es, in malicious campaigns. According to threat intelligence, there has been a 19-fold increase in malicious activity originating from .es domains, making it the third most commonly abused TLD, surpassed only by .com and .ru.

The .es domain, typically used by entities based in Spain or those targeting Spanish-speaking audiences, began to see a sharp uptick in abuse starting in January. By May, 1,373 subdomains serving malicious web pages across 447 unique .es base domains were identified.

Notably, 99% of these campaigns were focused on credential phishing, while the remaining 1% were used to distribute remote access trojans (RATs), including ConnectWise RAT, Dark Crystal, and XWorm. The malware delivery mechanisms included command-and-control (C2) nodes and email phishing campaigns impersonating well-known brands, Microsoft being spoofed in 95% of these observed cases.

While the structure of the attacks is familiar, the choice of the .es TLD appears to be a growing trend. Phishing emails are typically themed around workplace topics, such as HR inquiries or document submission requests, and are often convincingly written, avoiding the simplistic messages seen in less sophisticated campaigns.

The malicious subdomains on .es domains, often hosting counterfeit Microsoft login portals, appear to be automatically generated, rather than manually created. This randomization may make them easier to distinguish from typical typosquatting or lookalike domains.

Examples of such randomly generated subdomains include:

ag7sr[.]fjlabpkgcuo[.]es

gymi8[.]fwpzza[.]es

shmkd[.]jlaancyfaw[.]es

Experts are uncertain why the .es TLD is currently so attractive to threat actors, but it can be noted that apart from the consistently abused .com and .ru domains, usage of other TLDs tends to vary quarter by quarter.

The broad nature of these phishing campaigns suggests that the abuse of .es domains is not isolated to a few specialized threat actors. Rather, it indicates widespread adoption across numerous threat groups. 

A key finding was the hosting pattern. 99% of the malicious .es domains were hosted via Cloudflare, and many utilized Cloudflare’s Turnstile CAPTCHA. The researchers speculated on whether Cloudflare’s user-friendly deployment tools, such as their [.]pages[.]dev platform, may be inadvertently facilitating abuse, though they noted that the impact of Cloudflare’s enforcement of abuse policies remains unclear.

Traditionally, ccTLDs like .es are among the least exploited due to stricter registration requirements and the inability to perform bulk domain registrations, according to the Internet Corporation for Assigned Names and Numbers (ICANN). These restrictions have typically made them less attractive for cybercriminals seeking large-scale automation. However, this trend may be shifting.

Despite the historical resilience of European ccTLDs, the latest findings suggest that .es domains are increasingly being weaponized, and continued monitoring and mitigation efforts will be necessary to counter this emerging threat.

  • SatanLock Ransomware Ends Operations, Says Stolen Data Will Be Leaked

The recently established ransomware group known as SatanLock has announced its immediate shutdown. Prior to going offline, however, the group has declared its intent to publicly release all data previously exfiltrated from its victims. This announcement was made via the group’s official Telegram channel and its dark web leak site.

Notably, all victim listings that were visible on the group’s .onion site just hours earlier have now been removed. Visitors to the site are currently met with a message stating, “SatanLock project will be shut down – The files will all be leaked today.”

Active since April 2025, SatanLock quickly drew attention for its aggressive tactics, having listed 67 victims on its leak site within a few weeks of emerging. A report published by Check Point in May 2025 observed that over 65% of these victims had already appeared on other ransomware groups’ leak sites, suggesting that SatanLock may have relied on shared infrastructure or attempted to re-claim already compromised systems.

An analysis by cybersecurity firm Lockbit Decryptor indicates that SatanLock is likely connected to several other prominent ransomware families, including Babuk-Bjorka and GD Lockersec, pointing to its involvement in a broader cybercriminal ecosystem.

The reason behind the group’s sudden shutdown remains unclear. This development follows a similar announcement from the Hunters International ransomware group last week, which later revealed that it was not disbanding but rather rebranding as WORLD LEAKS, shifting its focus from ransom demands to data breaches and information leaks. Whether SatanLock is taking a similar approach remains to be seen.

Nonetheless, the dissolution of SatanLock is a positive development for potential victims, as it represents the removal of one more malicious actor from the cyber threat landscape.

References:

https://globalnews.ca/news/11251535/westjet-cyberattack-questions/

https://therecord.media/google-lawsuit-data-collection-android-cellular

https://www.securityweek.com/ingram-micro-scrambling-to-restore-systems-after-ransomware-attack/

https://www.theregister.com/2025/07/05/spain_domains_phishing/

https://hackread.com/satanlock-ransomware-ends-operations-stolen-data-leak/

Share post:

Take the next step to
engage with Canary Trap

If you require our cybersecurity services please share your details below and we will be in touch!

Popup Form

  • This field is for validation purposes and should be left unchanged.

MISSISSAUGA (CAN HQ)

  • 2425 Matheson Boulevard East
  • 8th Floor
  • Mississauga, Ontario
  • L4W 5K4

BUFFALO (USA HQ)

  • 50 Fountain Plaza
  • Suite 1400
  • Buffalo, New York
  • 14202

WINNIPEG

  • 201 Portage Avenue
  • 18th Floor
  • Winnipeg, Manitoba
  • R3B 3K6

TAMPA

  • 4830 West Kennedy Boulevard
  • Suite 600
  • Tampa, Florida
  • 33609

© 2025 Canary Trap. All rights reserved | Privacy Policy To Top