SC Media UK’s predictions (publishing 6 January) note how ransomware growth is exected to continue this year, and the first major reported strike (albeit from late last year) from the BBC is that a ransomware attack has taken an unidentified US maritine base offline for more than 30 hours. The US Coast Guard (USCG) apparently reported the attack in a 16 December warning to other bases to take preventative action. Security cameras, door-access control systems and critical monitoring systems at the site were affected.
The BBC reportsThe official Marine Safety Information Bulletin saying "Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise information technology (IT) network files, and encrypt them, preventing the facility's access to critical files. The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations."
A separte report by Ugnius Kiguolis cites the Bulletin saying "Forensic analysis is currently ongoing but the virus, identified as "Ryuk" ransomware, may have entered the network of the MTSA facility via an email phishing campaign." Ryuk ransomware and encryption involved the control and monitoring of many operations and got shut down. Kiguolis reports that cyber-security risk management and breach mitigation measures were implemented that helped to reduce the damage, with:
- consistent backups of all files;
- up-to-date IT and OT network diagrams;
- network segmentation to prevent IT systems from accessing the OT environment;
- centralised and monitored host and server logging;
- industry-standard and ip to date virus detection software;
- intrusion detection and intrusion prevention system monitoring real-time network traffic.
Commenting on the attack in an email to SC Media UK, Jonathan Miles, head of strategic intelligence and security research, Mimecast commented: "Regardless of who you are and despite all the security infrastructure in place, if a malicious link gets through the lines of defence, human curiosity, and error, will still remain a consistent threat to any organisation. Criminal entities will always rely on compliance by subordinates to enact a superior’s direction. This is likely considered more pertinent within a uniformed organisation, where rank plays a pivotal role and individuals rarely question direction or orders."
"This incident, although exact details are not known, highlights the importance of separating mission critical and sensitive domains from those that have open internet and email access. Even in transferring data from one system to another, USB’s or any removable transfer media should be passed through a standalone ‘sheep dip’ terminal to check data. Despite that, if a malicious link is executed, an organisation will likely be locked down by the ransomware enacted."
Kelvin Murray, senior threat researcher, Webroot noted: "This attack shows how brazen modern ransomware gangs are and how little they fear facing justice. The Coast Guard(USCG) joins a long list of US government ransomware victims of 2019, including police and city municipalities. We expect these type of attacks to continue as they make millions for the gangs involved. One worry is the recent trend for attackers stealing data before they encrypt it, so the possibility of sensitive data being exfiltrated and used for extortion or breach purposes should not be ruled out. Email filtering, staff education, proper password policy, backups and antivirus are some of the main steps involved in preventing these attacks."
Looking back on how this follows a trend from last year Stuart Reed, VP cyber, Nominet notes:"Ransomware was one of the most disruptive forms of cyberattack in 2019 and it seems that this will continue to be the case in 2020. With countless emails and links being sent across the network it is no small task to mitigate the risk of employees falling victim to an attack, and reminds us of the importance of a layered approach to security. While access control should limit the path of an attacker and robust backups can restore systems as soon as possible, it is also important to have broad visibility of the network to identify and eliminate an attack quickly. Technical protection and defense must dovetail with business processes; ensuring employees are educated to become a strong line of defence, while a rock-solid incident response plan can deliver a swift recovery.
"Critical services and infrastructure will continue to be targeted by cyber criminals and it’s only with partnerships between security experts, risk specialists and those responsible for the build and protection of these highly important assets that we will be able to improve our overall security posture against attackers."
Miles concludes, "Security is not just an organisational responsibility, it is everyone’s. We all play a part in maintaining an effective security posture, protecting ourselves and organisations from those intent on causing damage and disruption. Organisations and the leadership within need to take on the responsibility for training all staff as to the threats applicable, and how to defend against them."