The U.S. Coast Guard (USCG) published a marine safety alert to inform of a Ryuk Ransomware attack that took down the entire corporate IT network of a Maritime Transportation Security Act (MTSA) regulated facility.
While the incident is still currently being investigated, the USCG says that a phishing email is most likely the point of entry within the MTSA facility’s network.
“Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files,” says the USCG.
The USCG issued another safety alert in July with cybersecurity guidance after a cyber incident experienced by a deep draft vessel during February affected the ship’s entire network.
Just as it happened in the July alert, the UCSC once again reminds maritime stakeholders to closely check the validity of the email sender before replying to or opening unsolicited emails.
Operations shut down for over 30 hours
Even though the Marine Safety Information Bulletin (MSIB) doesn’t mention the type of facility or its name, it’s safe to assume that it must be a port seeing that the ransomware managed to infiltrate cargo transfer industrial control systems.
“The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations,” adds the USCG.
The systems encrypted by Ryuk Ransomware directly impacted the facility’s “entire corporate IT network (beyond the footprint of the facility)” [emphasis ours] and physical access and camera control systems, and it also led to “loss of critical process control monitoring systems.”
On the whole, the attack forced the company to completely shut down operations for more than 30 hours during the cyber-incident response phase.
The Coast Guard recommends facilities utilize the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and NIST Special Publication 800-82 when implementing a Cyber Risk Management Program. – USCG
Ransomware and breach mitigation measures
The USCG provides the following measures to limit future MTSA facility breaches and reduce recovery times:
• Industry-standard and up to date virus detection software
• Centralized and monitored host and server logging
• Network segmentation to prevent IT systems from accessing the Operational Technology (OT) environment
• Up-to-date IT/OT network diagrams
• Consistent backups of all critical files and software
UK’s National Cyber Security Centre also published an advisory in June detailing Ryuk Ransomware campaigns targeting organizations around the globe including guidance on how to protect against ransomware attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued its own advisory on how to prevent and respond to ransomware infections, as well as advice on what to do after a ransomware infection.
To make matters worse for individuals and organizations affected by a Ryuk Ransomware attack, it has recently been discovered that this strain’s decryptor has a bug that could lead to data loss in large files.
Therefore, Ryuk victims should always consider backing up all of their encrypted data before decryption, to protect it if the decryptor corrupts it.