After-Weekend Update: Ransomware Attack on Collins Aerospace Continues to Impact European Airports

September 22, 2025 - Monday Afternoon Update

Executive Summary

What began as mysterious "technical disruptions" late Friday night has now been confirmed as a ransomware attack targeting Collins Aerospace's critical airport infrastructure. The European Union Agency for Cybersecurity (ENISA) confirmed Monday that the widespread chaos at major European airports was caused by ransomware, marking another escalation in the aviation industry's cybersecurity crisis. As airports enter their fourth day of disruption, the incident has evolved from an operational inconvenience into a full-scale supply chain security emergency.

Major Cyber-Attack Disrupts European Airport Operations, Causing Widespread Flight Delays

A sophisticated cyber-attack on Collins Aerospace’s check-in systems has caused significant disruptions at major European airports, highlighting critical vulnerabilities in aviation infrastructure. A coordinated cyber-attack targeting Collins Aerospace’s passenger processing systems brought chaos to several major European airports on Saturday, September 20, 2025, with London Heathrow, Brussels Airport, and Berlin

Breached CompanyBreached Company

Latest Developments (Monday, September 22)

ENISA Confirms Ransomware Attack

ENISA said law enforcement was involved to investigate the software that holds data until those targeted pay to have their access back. The agency confirmed that the outage was "caused by a third-party ransomware incident." However, ENISA has not disclosed details about the ransomware strain, potential attribution, or whether any ransom demands have been made.

Ongoing Airport Disruptions

Brussels Airport - Hardest Hit:

• Among the 550 departing and arriving flights on Monday, 60 had to be cancelled
• The airport had preemptively asked airlines to cancel nearly 140 scheduled Monday departures
• iPads and laptops were being used to check in passengers online
• Collins Aerospace has not yet delivered a secure updated version of the MUSE system

Berlin Brandenburg Airport:

• Berlin Brandenburg Airport still did not have its check-in systems restored on Monday
• Delays of more than an hour for departures were reported
• Continues to rely on manual workarounds and backup procedures

London Heathrow:

• Showing signs of improvement but still experiencing residual delays
• Most flights operating, though manual processes continue for some airlines
• British Airways largely unaffected due to separate backup systems

The Attack: Technical Details and Timeline

Friday Night, September 19, 2025

• Anomalous traffic patterns detected in Collins Aerospace's MUSE platform backend logs just before midnight
• The cyber-attack began on Friday night, September 19, when hackers successfully compromised Collins Aerospace's MUSE (Multi-User System Environment) software

Saturday, September 20, 2025

• By 00:30 GMT: Intrusion had metastasized, encrypting critical databases
• Heathrow forced to revert to manual ticketing with 12,000 passengers queued in Terminal 4
• Cascade effect hits Brussels and Berlin Brandenburg airports
• Collins Aerospace confirmed it was "aware of a cyber-related disruption" affecting select airports

Sunday-Monday, September 21-22, 2025

• ENISA confirms ransomware as the cause
• Brussels Airport cancels 60 Monday flights, asks airlines to reduce capacity by 50%
• Berlin systems remain offline, extensive delays continue
• Collins Aerospace states it's in "final stages" of completing updates

Industry Impact Analysis

The Numbers Tell the Story

• One in seven companies reported having paid a ransom to access data that had been locked up according to German industry group Bitkom
• Ransom payments had reached a record high of 202 billion euros ($238bn) this year
• The aviation sector experienced a staggering 600% increase in cyber-attacks from 2024 to 2025

Supply Chain Vulnerability Exposed

The MUSE system represents a critical single point of failure in modern aviation infrastructure:

• Powers electronic check-in, baggage tagging, and boarding pass validation
• Allows multiple airlines to share desks and gates rather than maintaining separate facilities
• Collins Aerospace provides systems to approximately 170 airports globally
• When compromised, forces entire airports back to manual, paper-based operations

Expert Analysis and Context

Security Expert Perspectives

Rafe Pilling from Sophos notes: "Disruptive attacks are becoming more visible in Europe, but visibility doesn't necessarily equal frequency" and "Truly large-scale, disruptive attacks that spill into the physical world remain the exception rather than the rule"

Pattern Recognition: Aviation's Achilles' Heel Exposed Again

This ransomware attack eerily mirrors the chaos from just two months ago, when a different kind of failure brought global aviation to its knees. The CrowdStrike BSOD incident of July 19, 2024 offers crucial lessons that make this weekend's events even more concerning.

The CrowdStrike Parallel: When Good Software Goes Bad

On July 19, 2024, at 04:09 UTC, a faulty CrowdStrike Falcon sensor update caused Windows systems worldwide to crash with the Blue Screen of Death. The culprit? A logic error in a configuration file (Channel File 291) that caused a null pointer dereference in the csagent.sys driver. Within hours:

• Airlines globally were grounded
• Delta passengers were stranded for 3-4 days at Atlanta airport
• Manual check-in procedures kicked in (sound familiar?)
• The fix required physically accessing each affected machine to delete the faulty driver file

The bitter irony? CrowdStrike CEO George Kurtz had faced an almost identical crisis 14 years earlier at McAfee, when a faulty update misidentified critical system files as viruses, causing widespread Windows XP crashes.

Malicious vs. Accidental: Same Vulnerability, Different Trigger

While CrowdStrike was an accidental failure and Collins Aerospace suffered a deliberate ransomware attack, both incidents exposed the same fundamental weakness:

• Single points of failure in critical aviation infrastructure
• Cascade effects from centralized systems serving multiple airlines/airports
• Inadequate offline fallback capabilities
• Manual processes that can't scale to modern passenger volumes

The Broader Supply Chain Crisis

Beyond aviation, this incident follows a disturbing pattern of supply chain compromises:

• CDK Global (June 2024): Ransomware affected 15,000 car dealerships, cost over $1 billion
• PowerSchool (December 2024): Exposed 62 million students' data
• CrowdStrike (July 2024): Accidental update grounded flights globally
• Collins Aerospace (September 2024): Ransomware attack disrupting European airports

Current Status and Recovery Efforts

What's Working:

• Manual check-in procedures allowing flights to continue, albeit with delays
• Some airports showing improvement (Heathrow operating near-normal)
• Airlines implementing various workarounds including handwritten boarding passes

What's Not:

• Brussels Airport still awaiting secure MUSE software update
• Berlin Brandenburg systems remain offline
• Automated kiosks and bag-drop facilities unavailable at multiple airports
• No clear timeline for full restoration provided

Passenger Guidance

If You're Flying This Week:

1. Check flight status before leaving for the airport
2. Arrive early - add at least 1-2 hours to normal arrival time
3. Use online check-in where available
4. Expect delays even if your flight isn't cancelled
5. Keep essential items in carry-on luggage due to increased baggage handling errors

Most Affected Routes:

• Brussels to Africa and Asia (Brussels Airlines)
• Berlin to Scandinavia (Lufthansa short-haul)
• Various European connections through affected hubs

Lessons Not Learned: From CrowdStrike to Collins

The speed with which aviation returned to vulnerability after CrowdStrike is striking. Just two months after that incident forced airlines to manually delete driver files from thousands of machines, the industry finds itself again reverting to handwritten boarding passes and manual bag tags.

Key failures to implement post-CrowdStrike recommendations:

• No rapid rollback mechanisms deployed for critical third-party systems
• Manual backup procedures still inadequate for full-scale operations
• Supply chain security audits apparently incomplete or ineffective
• Offline resilience not improved despite clear warning signs

The CrowdStrike incident should have been aviation's wake-up call. Instead, it appears to have been treated as a one-off event rather than a preview of systemic vulnerabilities that malicious actors would inevitably exploit.

Looking Forward: Critical Questions Remain

Unanswered Questions:

• Has any ransom been demanded or paid?
• Who is behind the attack? (No group has claimed responsibility)
• Was any data exfiltrated alongside the encryption?
• When will full service be restored?

Policy Implications:

The incident will likely accelerate:

• Implementation of EU's NIS2 Directive requirements
• Calls for mandatory backup systems that don't rely on digital infrastructure
• Industry-wide security audits of critical third-party providers
• Potential fines for non-compliant vendors (up to €100 million under proposed amendments)

The Bigger Picture

This ransomware attack on Collins Aerospace represents more than just a technical failure—it's the second major aviation IT crisis in just two months, following the CrowdStrike BSOD incident that should have served as a warning. Together, these events reveal a systematic vulnerability in how modern aviation has architected its digital dependencies.

The progression from accidental (CrowdStrike) to malicious (Collins) attacks demonstrates that threat actors are actively studying and exploiting the lessons from each incident. The systematic targeting of shared technology platforms yields far greater returns for attackers than hitting individual organizations, and the aviation industry's slow response to the CrowdStrike warning has essentially provided a blueprint for ransomware operators.

As aviation expert Anita Mendiratta noted, this was "a disruption caused to software, not a specific airport," highlighting the critical importance of containing such digital contagions. But containing contagion requires preparation that clearly wasn't implemented after July's warning shot.

Resources and Links

Primary Source Articles:

1. Major Cyber-Attack Disrupts European Airport Operations - Breached Company
2. In-Depth Technical Document on the CrowdStrike BSOD Incident - Breached Company
3. Cyberattack on European airports caused by ransomware, EU finds - Al Jazeera
4. EU cyber agency confirms ransomware attack - TechCrunch

Airport Status Pages:

• Heathrow Airport: Check @HeathrowAirport on X (Twitter)
• Brussels Airport: brussels-airport.be
• Berlin Brandenburg: berlin-airport.de

This is a developing story. Last updated: Monday, September 22, 2025, 3:00 PM GMT

Follow-up reporting by aviation and cybersecurity correspondents across Europe. Additional reporting from Reuters, Bloomberg, CNBC, and local airport authorities.