US Coast Guard Warns Over Ryuk Ransomware AttacksIncident That Targeted Maritime Facility Traced to Phishing Email
The U.S. Coast Guard issued a security alert this month after a ransomware attack took down the IT network of a federally regulated maritime facility.
The incident at the unnamed facility is still under investigation, however, Coast Guard investigators believe that the attackers used the Ryuk ransomware strain during the attack, which started with a phishing email that contained a malicious link, according to the Dec. 16 alert.
Once a worker at the facility clicked the link, the ransomware infected the entire corporate network, including the industrial control systems that monitor and control cargo transfers as well as encrypting files critical to daily operations, according to the alert.
"The impacts to the facility included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems," according to the Coast Guard alert.
Most of the facility's operations were shut down for over 30 hours during the initial incident response, according to the Coast Guard. The security bulletin did not offer details of when the attack happened or whether any ransom was demanded by the attackers.
The facility mentioned in the alert is protected under the Maritime Transportation Security Act of 2002, a federal law that addresses physical security and cybersecurity responses at U.S. ports and waterway facilities. The Coast Guard, which is part of the U.S. Department of Homeland Security, is charged with enforcing those laws.
Making Security Waves
The December Marine Safety Information Bulletin is the second time this year that the Coast Guard has issued an alert specifically related to cybersecurity.
In July, the Coast Guard investigators were called to examine reports of a cybersecurity incident aboard an international deep draft vessel bound for the Port of New York and New Jersey. In that case, malware infected the vessel's network and some computer systems, but it did not cause any significant damage (see: Malware on the High Seas: US Coast Guard Issues Alert).
Before that incident, the Coast Guard, along with the FBI and the U.S. Department of Homeland Security, investigated a ransomware attack in September 2018 that affected the Port of San Diego, disrupting the commercial shipping industry (see: Ransomware Crypto-Locks Port of San Diego IT Systems).
The increasing number of attacks targeting the shipping and maritime industries are also not limited to the U.S. In June 2017, the NotPetya ransomware attack affected Danish shipping giant A.P. Møller - Maersk, the world's biggest shipping firm. The company was then forced to reroute ships and was unable to dock or unload cargo ships in dozens of ports. (see: Maersk Previews NotPetya Impact: Up to $300 Million).
As part of December alert, the Coast Guard is urging these facilities to take greater security precautions, including using network segmentation to separate IT networks from operational technology environments, and to back-up all files and documents the help in the recovery process.
Ryuk Attacks Increase
Ryuk is a relatively new crypto-locking malware that has been active since 2018, and has been known to target large-scale enterprise systems as well as local and state government agencies, according to security analysts.
The most recent incident attributed to Ryuk includes a ransomware attack against New Orleans on Dec. 14, leading local agencies to declare a state of emergency after the attack crippled the city's IT systems. This attack affected more than 450 servers and 3,500 endpoints in only 48 hours (see:Ryuk Eyed as Culprit in New Orleans Ransomware Outbreak).
In November, a similar ransomware against Louisiana's state government was tied to Ryuk malware after the attack compromised several servers (see: Louisiana Government Recovering From Ransomware Attack).
Also in November, security company Prosegur noted that Ryuk ransomware caused an outage, resulting in widespread disruption in the company's network alarm systems (see:Security Firm Prosegur Hit By Ryuk Ransomware).