UK Police Arrest Man Linked to Ransomware Attack That Caused Airport Disruptions in Europe
In a swift move to combat rising cyber threats, UK authorities have arrested a suspect in connection with a ransomware attack that crippled check-in systems at major European airports. The incident, which began last Friday, September 20, 2025, has led to widespread flight delays, cancellations, and chaos for thousands of travelers. This development underscores the growing vulnerability of critical infrastructure to digital extortion, with investigations ongoing to uncover the full extent of the breach.
What Happened: The Ransomware Attack on Collins Aerospace
The cyberattack targeted Collins Aerospace, a subsidiary of US defense giant RTX, which provides the MUSE software platform for automated passenger processing at airports worldwide. Hackers deployed ransomware—malicious software that encrypts data and demands payment for decryption—to paralyze the system, forcing airports to revert to manual operations.
- Timeline of Events:
- September 20, 2025: Initial breach disrupts check-in and boarding at multiple airports starting Friday evening.
- September 21-22: Disruptions peak with half of Brussels Airport’s flights canceled on Sunday; Berlin and Dublin report manual processing leading to long queues.
- September 22: EU cybersecurity agency ENISA confirms the incident as a ransomware attack, highlighting risks to critical sectors.
- September 23: Ongoing issues at Berlin Airport, with expectations of delays persisting into the week.
- September 24: UK arrest announced, but no group has claimed responsibility on dark web sites.
The attack’s ripple effects spilled into the physical world, affecting not just Europe but potentially global travel hubs reliant on the software. Cybersecurity experts link it to HardBit ransomware, an obscure variant that emerged in 2022, known for negotiating ransoms based on victims’ cyber insurance policies. Unlike prominent groups like LockBit, HardBit doesn’t maintain public leak sites, making attribution challenging.
The Arrest: Details from the National Crime Agency
The UK’s National Crime Agency (NCA) announced the arrest on Wednesday, September 24, 2025, marking a key breakthrough in the early stages of the probe.
| Key Arrest Details | Description |
|---|---|
| Suspect Profile | Man in his 40s, arrested in West Sussex, England. |
| Charges | Suspicion of offenses under the Computer Misuse Act. |
| Status | Released on conditional bail; investigation ongoing. |
| Lead Agency | NCA’s National Cyber Crime Unit, led by Deputy Director Paul Foster. |
Foster described the arrest as a “positive step” but emphasized that cybercrime poses a “persistent global threat” with significant real-world disruptions. The NCA has not disclosed the suspect’s identity or role, and no international connections have been confirmed yet. This comes amid a wave of European cyber incidents, including recent attacks on UK retailer Marks & Spencer, which cost £400 million in recovery.
Impact on Airports and Travelers Across Europe
The ransomware strike hit some of Europe’s busiest hubs hardest, turning high-tech terminals into scenes of manual mayhem. Travelers faced hours-long queues, missed connections, and uncertainty, with airlines like those operating out of Heathrow urged to cancel flights proactively.
- Affected Airports:
- London Heathrow (UK): Terminal 4 saw massive backlogs; disruptions continued into Monday.
- Brussels Airport (Belgium): 50 outbound flights canceled Sunday, 140 more Monday—half the schedule slashed.
- Berlin Brandenburg (Germany): Manual check-ins led to “longer processing times, delays, and cancellations”; recovery could take days.
- Dublin Airport (Ireland): Evacuations and delays compounded by a separate security alert.
- Others: Cork (Ireland) and select operations in Frankfurt reported minor issues.
Eurocontrol, Europe’s air traffic management body, coordinated cancellations to ease congestion. By Wednesday, Berlin Airport anticipated “limited disruption,” but full restoration remains elusive. Passenger frustration boiled over, with one traveler calling the attack “incomprehensible.”
Broader Implications: Ransomware’s Threat to Critical Infrastructure
This incident highlights the escalating dangers of ransomware to sectors like aviation, where downtime isn’t just inconvenient—it’s economically devastating. ENISA’s confirmation on Monday amplified calls for stronger defenses, noting that such attacks on third-party providers like Collins Aerospace can cascade across industries.
- Ransomware Trends in 2025:
- Attacks on high-profile targets are rising for notoriety, though large-scale physical disruptions remain rare.
- German group Bitkom reports ransomware as the top cyber threat, with one in seven firms paying ransoms—totaling a record €202 billion ($238 billion) this year.
- Groups often operate from Russia or former Soviet states, but arrests like this show law enforcement’s reach.
Experts like Rafe Pilling from Sophos warn that while visibility of these attacks is increasing, frequency isn’t—yet. The lack of a claim from the perpetrators suggests a more covert operation, possibly avoiding spotlight to evade detection.
RTX stated it was “aware of a cyber-related disruption” and is working to resolve it, but has not commented on ransom demands or data exfiltration.
What’s Next: Investigation and Prevention
The NCA’s probe is in its infancy, with international cooperation likely involving Europol and ENISA. No extradition or further arrests have been announced, but the focus will be on tracing cryptocurrency payments and forensic analysis of the HardBit strain.
For travelers and businesses:
- Immediate Advice: Use online check-in where possible; monitor airport apps for updates.
- Long-Term Lessons: Bolster multi-factor authentication, regular backups, and cyber insurance reviews.
This arrest is a reminder that cybercriminals aren’t untouchable. As Foster noted, disrupting their operations requires global vigilance. With Europe’s skies reopening slowly, the hope is that justice—and restored systems—follow swiftly. Stay tuned for updates as the investigation unfolds.