Ryuk Ransomware Took Down Maritime Facility in US

Posted by & filed under Ειδοποιήσεις.

The U.S. Coast Guard (USCG) published a marine safety alert to inform of a Ryuk Ransomware attack that took down the entire corporate IT network of a Maritime Transportation Security Act (MTSA) regulated facility.

While the incident is still currently being investigated, the USCG says that a phishing email is most likely the point of entry within the MTSA facility’s network.

“Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files,” says the USCG.

The USCG issued another safety alert in July with cybersecurity guidance after a cyber incident experienced by a deep draft vessel during February affected the ship’s entire network.

Just as it happened in the July alert, the UCSC once again reminds maritime stakeholders to closely check the validity of the email sender before replying to or opening unsolicited emails.

Operations shut down for over 30 hours

Even though the Marine Safety Information Bulletin (MSIB) doesn’t mention the type of facility or its name, it’s safe to assume that it must be a port seeing that the ransomware managed to infiltrate cargo transfer industrial control systems.

“The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations,” adds the USCG.

The systems encrypted by Ryuk Ransomware directly impacted the facility’s “entire corporate IT network (beyond the footprint of the facility)” [emphasis ours] and physical access and camera control systems, and it also led to “loss of critical process control monitoring systems.”

On the whole, the attack forced the company to completely shut down operations for more than 30 hours during the cyber-incident response phase.

The Coast Guard recommends facilities utilize the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and NIST Special Publication 800-82 when implementing a Cyber Risk Management Program. – USCG

Ransomware and breach mitigation measures

The USCG provides the following measures to limit future MTSA facility breaches and reduce recovery times:

• Intrusion Detection and Intrusion Prevention Systems to monitor real-time network traffic
• Industry-standard and up to date virus detection software
• Centralized and monitored host and server logging
• Network segmentation to prevent IT systems from accessing the Operational Technology (OT) environment
• Up-to-date IT/OT network diagrams
• Consistent backups of all critical files and software


UK’s National Cyber Security Centre also published an advisory in June detailing Ryuk Ransomware campaigns targeting organizations around the globe including guidance on how to protect against ransomware attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued its own advisory on how to prevent and respond to ransomware infections, as well as advice on what to do after a ransomware infection.

To make matters worse for individuals and organizations affected by a Ryuk Ransomware attack, it has recently been discovered that this strain’s decryptor has a bug that could lead to data loss in large files.

Therefore, Ryuk victims should always consider backing up all of their encrypted data before decryption, to protect it if the decryptor corrupts it.


The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.