US Coast Guard Finds Ryuk Ransomware Responsible for Attack on its Maritime Facility

• Officials believe the point of entry was a malicious email sent to one of the maritime facility's employees.
• The facility was impacted for more than 30 hours during the incident response phase after the attack.

A ransomware-infected file attached in an email took down the entire corporate IT network of a Maritime Transportation Security Act (MTSA) regulated facility recently, as per the published marine safety alert by the U.S. Coast Guard (USCG).

What happened?

Officials believe that the point of entry was a malicious email sent to one of the maritime facility's employees. The incident was being investigated.

"Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files," says the USCG.

What was the impact?

The Ryuk ransomware infection caused a disruption in the facility by affecting camera, physical access control systems, and critical process control monitoring systems. The malware spread through the facility's IT network, even impacting industrial control systems.

The network at the affected facility was down for more than 30 hours during the incident response phase after the attack. The Marine Safety Information Bulletin (MSIB) didn't mention the type of facility or its name. Since the ransomware managed to infiltrate cargo transfer industrial control systems, it is safe to assume that it must be a port.

"The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations," adds the USCG.

Previously, the USCG issued a safety alert in July with cybersecurity guidance after a cyber incident in February. The UCSC has now once again reminded maritime stakeholders to verify the validity of the email sender before replying to or opening unsolicited emails.

Mitigation measures

The USCG provided the following measures to limit future MTSA facility breaches and reduce recovery times:

• Intrusion Detection and Intrusion Prevention Systems to monitor real-time network traffic
• Industry-standard and up to date virus detection software
• Centralized and monitored host and server logging
• Network segmentation to prevent IT systems from accessing the Operational Technology (OT) environment
• Consistent backups of all critical files and software
• Up-to-date IT/OT network diagrams