The Ryuk ransomware causes more than 30 hours of operational disruption for a maritime operator

The website of the U.S. Coast Guard (which is involved in cyberspace issues, as mentioned in this article) reports that a U.S. maritime operator was impacted by the “Ryuk” ransomware.

This malicious code is not new. It first appeared in the summer of 2018 and has already affected numerous companies, such as Eurofins in the summer of 2019 or Prosegur more recently. As noted by CheckPoint, the malware is not particularly sophisticated from a technical perspective, but it specifically targets large companies and organizations with significant financial resources that may prefer to pay a ransom (which is not recommended and does not always work, particularly in the case of Ryuk) rather than lose several days of operations. As early as January 2019, it had already generated €3 million for its operators (source: Le Monde). In March 2019, the French cybersecurity agency ANSSI published both an alert bulletin and a news bulletin about this malware.

In the case described by the U.S. Coast Guard, the incident affected an operator working under the framework of the Maritime Transportation Security Act (the U.S. legislative implementation of the ISPS Code). At the time the Coast Guard bulletin was written (December 16, 2019), the investigation was still ongoing. The malware reportedly infected the operator’s internal network through an email phishing campaign. After an employee clicked a malicious link, the malware allowed the threat actor to access significant network resources (files and other assets), which were then encrypted, preventing access to critical files required for the operation of the facility.

The malware subsequently propagated into the operator’s industrial control systems used to monitor and transfer cargo, encrypting critical data required for port operations.

The impact on the facility was significant: complete loss of access to the IT network (including systems beyond the operator’s immediate physical environment), loss of video surveillance and physical access control systems, and loss of critical industrial monitoring and process control systems. The combination of these effects forced the operator to shut down its operations entirely for more than 30 hours while a cybersecurity investigation was conducted.

Nearly a year and a half after the first appearances of this ransomware, the damage remains significant. The U.S. Coast Guard notes that several measures could have prevented the attack or at least limited its impact (which suggests that they were partially or entirely absent):

• the deployment of intrusion detection and prevention systems;
• up-to-date antivirus solutions with current engines and signatures;
• centralized logging with active monitoring;
• at least minimal network segmentation between IT (Information Technology) and OT (Operational Technology);
• an up-to-date mapping of IT and OT networks;
• backups of all critical files and software.