Ransomware Lessons from Brussels Airport and IBM i

At Brussels Airport recently, I noticed airline staff working from paper passenger lists because their digital systems were unavailable. The EU Cybersecurity Agency (ENISA) later confirmed the disruption was caused by a ransomware attack on a third-party airline system (Reuters report).

That scene reminded me how ransomware can affect daily operations. It also relates to a recent Kisco Systems article, Using IFS Exit Point Data to Identify Ransomware Attacks, which explains how IBM i administrators can use IFS exit point data to detect early signs of such attacks.

Detecting Suspicious Activity

When Windows systems connect to IBM i’s Integrated File System (IFS) through NetServer shares, a compromised workstation can encrypt or delete files on the server. The IFS exit point API records file activity such as reads, writes, and deletes, allowing administrators to identify unusual spikes in activity.

Strengthening Defenses

Practical steps include:

• Restrict or eliminate unnecessary NetServer shares
• Apply least-privilege access to all users
• Monitor IFS exit point activity
• Maintain immutable, tested backups
• Keep Windows endpoints protected and updated

A Broader Reminder

The disruption at Brussels Airport shows that ransomware is not just a data problem but an operational one. By watching for early indicators and reducing exposure, IBM i teams can help prevent the kind of disruption that forces organizations back to pen and paper.