U.S. Coast Guard Says Ryuk Ransomware Shut Down Maritime Facility for Over 30 Hours
The United States Coast Guard reported a ransomware attack at a Maritime Transportation Security Act (MTSA) regulated facility. The malware attack caused the port to shut down for over 30 hours while it restored control of IT systems and equipment at the facility.
The Coast Guard bulletin did not specify the type of facility or its name. Since the bulletin mentions that ransomware attacked the cargo transfer industrial control systems it is assumed the facility is a port. The Coast Guard Bulletin mentioned that the attack affected the entire corporate network and its damage extended beyond the footprint of the facility, which is assumed to be a port authority.
Ports are known to be vulnerable to ransomware attacks, especially because data is often transferred on ships through a USB flash drive. In September 2018, were the ports of San Diego, US and Barcelona, Spain were both infected with Ryuk Ransomware within five days of each other.
The ransomware attack, believed to be Ryuk Ransomware, was sent to a maritime facility employee in an email phishing campaign. After the employee clicked on a link in the malicious email, Ryuk ransomware was able to infect and lock up the entire corporate IT network of at the facility.
The Ryuk ransomware infection caused a disruption of the facility’s cameras, physical access control systems, and critical process control monitoring systems. The malware spread through the facility’s IT network and even impacting industrial control systems.
What is Ryuk Ransomware?
Ryuk Ransomware first appeared in the middle of August 2018 in cyberattacks against major global organizations in the United States and Russia. Ryuk Ransomware is a data encryption Trojan which is not especially technically complex as far as malware is concerned. Ryuk operates similarly to HERMES ransomware which is attributed to a state-sponsored North Korean APT group known as Lazarus.
What differentiates Ryuk Ransomware from other malware if the high ransom demands to release control of infected files and systems. The ransom amount is generally proportional to the size of the infected organization. So far, Ryuk has netted about $4 million with an average ransom payment of $71,000 in Bitcoin. As of January 2019, the lowest ransom amount was 1.7 BTC and the highest was 99 BTC. There were 52 known transactions split across 37 BTC addresses.
Over 1,039 schools across the United States have been infected by a ransomware attack, not all of them were Ryuk Ransomware though. Major cities were hit hard as well. Baltimore, Maryland was shut down for 36 days and three cities in Florida were completely paralyzed by ransomware attacks in 2019. Most recently, the City of New Orleans was infected with Ryuk Ransomware during the first half of December.
The average ransomware takes only three seconds to encrypt files or lock access to a computer. A computer user gets infected with ransomware when they unknowingly click on a malicious link in a phishing email, save a malicious file from a USB flash drive, or malware is downloaded to their computer from a fraudulent website. Often a malicious malware downloads more malware and spreads across every computer connected to the same network. In some cases, Emotet and Trickbot infections have also been identified on IT networks targeted by Ryuk.
Ryuk Ransomware infects computers through Remote Desktop (RDP) Accounts and macro-enabled DOCX and PDF files.
How Does Ransomware Spread?
Ransomware is often spread through phishing emails or spear phishing emails that contain links to malicious files or websites. When the recipient clicks on a malicious attachment, the file may begin a malware download to their computer. When a phishing email recipient clicks on a link that goes to a spoof website, they may be prompted to enter in login credentials or begin a malicious download from the fraudulent website.
Often ransomware attacks begin with a social engineering attack where the hacker attempts to get personal details about the target so they can tailor the phishing email and make it seem more familiar and more believable. Malware may also be spread through social media and messaging apps.
How to Protect Yourself Against Ransomware Attacks
Corporations should utilize the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and NIST Special Publication 800-82 when implementing a Cyber Risk Management Program.
- Verify the validity of any email sender before replying to or taking any action like clicking on a link
- Do not open unsolicited emails
- Never send any sensitive information in an email, e.g. passwords, credit card numbers, or personal information
- Do not respond to any inbound requests for username, password reset, or technical support. Hackers may begin an attack with a simple phone call to get the correct name of the person to send a phishing email to
- Maintain regular back-ups of all critical files and software
- Use industry standard and up to date virus detection software