Ransomware Group: INCRANSOM

VICTIM NAME: south african airways (flysaa[.]com)

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the INCRANSOM Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page details a significant cyberattack targeting South African Airways (SAA), a major airline operating passenger and freight services within South Africa. The attack was discovered on May 16, 2025, following an event that occurred on May 4, 2025. The incident temporarily disrupted online systems but was reportedly resolved within hours. The airline, headquartered in Johannesburg, is part of the Star Alliance network and maintains operations despite the disruption. The breach involved a sophisticated information stealer campaign, with multiple malware families such as Raccoon, RedLine, and Vidar identified as part of the attack tools used against the airline’s digital infrastructure. This incident underscores the ongoing threat to transportation and logistics companies in the region, emphasizing the importance of strong cybersecurity measures to protect critical operational data and customer information.

According to publicly available information, the attack involved the theft of sensitive data, although specific PII or confidential details were not disclosed publicly. The leak page includes a screenshot of internal information, indicating the potential scope of data compromised. It is noted that the incident prompted a response from the airline, with efforts to restore affected systems promptly. The attack’s sophistication is highlighted by the variety of infostealers employed, affecting numerous third-party domains and involving hundreds of users. Reports from press sources confirm that South African Airways managed to restore services swiftly, while an ongoing investigation aims to assess the full extent of the breach. The incident serves as a reminder of the persistent cybersecurity risks faced by the transportation sector in Africa and worldwide, urging resilience and enhanced security protocols to prevent similar future incidents.