When I used to drive U.S. Navy ships we would hear a cliché: “A collision at sea can ruin your whole day!” Well, that adage can also apply to a ransomware attack on your ship or port.
Cyber-attacks on the maritime sector are on the rise and ransomware attacks have tripled in the past few years. Now is a time to learn more about ransomware and the threat it poses to you, your port and your company.
What is Ransomware?
Ransomware is a form of malicious software designed to encrypt files on a computer or digital device rendering any files and the systems that rely on them unusable. Often, when this occurs, cyber criminals then demand ransom in exchange for the decryption key. Ransomware can severely impact business processes at ports or shipboard computer systems and leave organizations without the data they need to operate and deliver their services. This can impact revenue, customer satisfaction, and availability.
Sometimes the cyber criminals just encrypt your data and demand a ransom – usually in Bitcoin so the payment cannot be traced. Other times, the cyber criminals will pressure the victims for payment by threatening to release the stolen data if they refuse to pay. Thus, the victim may be shamed and extorted to pay.
In one example, the “NotPetya” ransomware (which you will read more about below) not only attacks the victim’s files, but it also encrypts entire hard drives by overwriting the master boot record thus preventing the computer from loading the operating system. Essentially, the computer becomes a very expensive brick.
Some ransomware incidents have demanded over $1 million in payment for the decryption key.
Maritime Ransomware Incidents
- In 2017 the world’s largest shipping firm—AP Moller – Maersk A/S—was infected by a piece of malware called “NotPetya,” costing the company $300 million in lost revenue, information technology restoration and operational costs. This forced shutdown of the company lasted many weeks. The NotPetya attack included an instruction for each computer user to send $300 to a specific email address.
- In July 2018, COSCO was brought down by ransomware for several weeks.
- In August 2020, Carnival Corporation suffered a ransomware attack. The ransomware attack included unauthorized access to guests’ and employees’ personal data.
- Also in 2020, shipping company MSC was hit by the Ryuk ransomware, which resulted in the shipowner’s Geneva, Switzerland headquarters being shuttered for five days.
Of note, seaports are also affected by ransomware attacks. In November 2020 the Port of Kennewick on the Columbia River in Washington state was attacked and taken down, locking the users out of their servers.
The port refused to pay a $200,000 ransom to restore access to its servers, which were encrypted by sophisticated digital “military-grade” ransomware. Other ports attacked and affected by ransomware include San Diego, the Port of Barcelona (Spain), and the Port of Long Beach.
How Does Ransomware Enter Computer Systems?
There are three generally accepted ways ransomware can enter a victim’s computer system. These include email phishing campaigns, Remote Desktop Protocol (RDP) vulnerabilities, and/or software vulnerabilities.
Phishing attacks are a type of social engineering where a cybercriminal sends a fraudulent message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure like ransomware. Basically, a realistic-looking email is sent to someone in a company, and they are tricked into clicking on a link or downloading a malicious file. These are the most common attack vectors where ransomware can infect your ship or shipping company.
RDP is a proprietary network protocol allowing individuals to control the resources and data of a computer over the Internet. Cyber criminals can use brute-force methods or log-in credentials they purchased on the dark-web market to gain unauthorized access to victim computer systems. Once they have RDP access, the criminals can install or deploy ransomware or other malware to lock or erase victim’s systems.
Software vulnerabilities are weaknesses in software code and/or software installation configuration where cyber criminals can take advantage of security weaknesses to gain control of victim computer systems and deploy ransomware.
U.S. Coast Guard Response
The United States Coast Guard has taken notice on the increased ransomware threat, and starting in 2020 the Coast Guard began issuing cybersecurity-related alerts in addition to the ones normally issued for physical damage, terrorism, or piracy.
In August 2021, the U.S. Coast Guard published the Cyber Strategic Outlook document (you can find it at https://www.uscg.mil/Cyber/). Admiral Karl L. Schultz, Commandant of the Coast Guard, wrote in the report:
“The events of the last five years, including the exploitation of U.S. Coast Guard networks and information, the attacks on maritime critical infrastructure, and adversarial efforts to undermine our democratic processes – not just by exploiting networks, but by negatively shaping information – reinforce that cyberspace is a contested domain … we will act to protect the marine transportation system from threats delivered in and through cyberspace and we will hold accountable those who would do our nation harm through attacks on our networks, operations, or the Marine Transportation System (MTS).”
Actions You Can Take
The first thing you and your organization should do is be prepared for ransomware attacks. Key suggestions from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) include:
- Maintain offline, encrypted backups of data and regularly test your backups to ensure you can replace encrypted data and files.
- Implement and utilize multi-factor authentication.
- Update and patch your systems.
- Ensure your security solutions are up to date.
- Create, maintain, and exercise a basic cyber incident response plan.
- Pay attention to ransomware events and apply lessons learned.
- Train your employees, contractors, vendors to not download suspicious files or click on links in unknown emails or files – especially from sources external to your company.
Ask for help if you have been infected with ransomware! Contact the CISA, the FBI, or the Secret Service. Also, for maritime cybersecurity incidents, contact the USCG National Response Center.
To learn more about ransomware and how you can better protect your ship and port, view the following resources:
Ransomware Best Prevention Practices
USCG Maritime Cyber
To report a maritime cybersecurity incident, call:
Coast Guard National Response Center (NRC)1-800-424-8802
Online reporting tool: