A hacking group recently spotlighted by U.S. agencies said it is responsible for an attack targeting an operator of 13 airports across Mexico.

Grupo Aeroportuario del Centro Norte announced last Friday that a cyber incident forced its IT team to turn to backup systems in an effort to continue running the airports it controls across central and northern Mexico. Known colloquially as OMA, the company runs airports in Monterrey and other major Mexican cities, handling more than 19 million passengers so far this year. 

On Thursday, the RansomHub operation claimed to be responsible for the incident, and threatened to leak 3 terabytes of stolen data if an undisclosed ransom is not paid. U.S. agencies warned of the group’s attacks in August, saying it was responsible for more than 210 incidents since emerging in February. 

“The OMA IT team, in collaboration with external cybersecurity experts, is actively investigating the incident to determine its scope and ensure the protection of the integrity, confidentiality and availability of our systems,” the company said, though it did not confirm RansomHub’s statements. 

“Our operations are running through alternative and backup systems. To date, there has been no material adverse effect on the operations, results or financial position of the company, which will be evaluated on an ongoing basis until the situation has been completely resolved.” 

In an earnings report released on Thursday, the NASDAQ-listed company reported more than $550 million in revenue for the first nine months of 2024. 

The company also addressed the cyber incident in the earnings report, writing that it has “continued to work with external advisors to assess the full scope of the breach.” 

“We have gradually restored certain services while continuing to collaborate with cybersecurity experts to safeguard the integrity of our systems,” the company said. “As of today, we have not identified a material adverse impact on the Company's operations and financial position, though we are closely monitoring the situation and assessing any possible continued effects.”

The company did not respond to requests for comment but has repeatedly warned passengers about issues airports continue to face.

In a social media message on Thursday, the company said screens showing the terminal location of flights are still down but workers are stationed around the airports to help passengers. 

There are also QR codes to help passengers find boarding gates. The company urged passengers to arrive on time and follow local airline social media accounts for more information. 

The incident was first acknowledged by OMA on October 15, when it confirmed that screens across the airports it controls were down. 

Microsoft this week said RansomHub continues to dominate the ransomware landscape. 

“RansomHub still stood out as one of the most prevalent payloads used by some of the most active ransomware operators and other financially motivated actors like Manatee Tempest & Storm-1874,” the company said, noting that several other threat actors it tracks continue to use the RansomHub malware in attacks. 

Last year, one of the highest-traffic airports in Mexico said it was responding to a similar cyberattack that was eventually claimed by the LockBit ransomware gang.