The entire network was down for 30 hours after ransomware interrupted camera and physical access control systems
According to sources, the phishing email was used to allow the virus on the network of a Maritime Transportation Security Act (MTSA) regulated facility. Once the malicious link was clicked by the employee, Ryuk ransomware was loaded on the system and quickly encrypted the data. The official Marine Safety Information Bulletin has stated:
Forensic analysis is currently ongoing but the virus, identified as “Ryuk” ransomware, may have entered the network of the MTSA facility via an email phishing campaign. Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files.
This file encoding led to the controlled access to sensitive files, according to USCG – the U.S Coast Guard security alert published before Christmas. The incident is still under the investigation, but it is already known that all the operations got shut down for more than 30 hours, but particular security measures helped to at least limit the breach.
Opened phishing email led to complete network shutdown
The common technique to spread such ransom-demanding threats – email campaigns involving malicious links or files embedded with payload droppers or direct malware scripts. USCG believes that such a phishing email triggered the infiltration of ransomware and allowed the threat actor to access the data on the network.
The disruption was definitely caused because the system that Ryuk encrypted involved the control and monitoring of many operations and got shut down. During this time, the company implemented cybersecurity risk management and breach mitigation measures that helped to reduce the damage:
- consistent backups of all files;
- up-to-date IT and OT network diagrams;
- network segmentation to prevent IT systems from accessing the OT environment;
- centralized and monitored host and server logging;
- industry-standard and ip to date virus detection software;
- intrusion detection and intrusion prevention system monitoring real-time network traffic.
Not the first Coast Guard security incident nor the last Ryuk ransomware attack
Back in July, the Coast Coard investigators examined cybersecurity reports about an incident when malware infected the vessel's network and computer systems. It was the malware that targeted international deep draft vessel bound for the Port of New York and New Jersey. Fortunately, the virus didn't cause any crucial damage to the network.
Such attacks targeting particular shipping and maritime industries increase and occur all over the world, resulting in shutdowns of operations and unloading dozens of ships, mandatory reroutes. Nevertheless, particular Ryuk ransomware is a malware known for choosing such targets that can provide the biggest profit for cybercriminals.
This particular virus is one of many money-driven cyber threats that cripple systems of cities, companies, agencies, and compromises networks with the aim of getting money from victims. Ransomware is one of the most dangerous threats because of the particular blackmailing feature and the permanent damage of files and devices when ransoms are not paid.