Transportation companies provide critical functions in shipping products and carrying people to their destinations. Encompassing both transport and logistics companies, the transportation sector is at a high risk of exposure to ransomware attacks that can disrupt services or even endanger peoples’ welfare. This article examines the current state of ransomware in transportation.

Why the Transportation Industry Is Susceptible to Ransomware

Transportation spans aviation, maritime, and ground services, and operators of all types of service are at risk of ransomware attacks. Three features of transportation make this sector attractive to threat actors:

• The interconnected nature of transport services provides many different possible points of attack.
• The knock-on effects of ransomware in transport can damage supply chains for many businesses, thereby increasing the likelihood of successful attackers getting a payday.
• The critical societal function of transport gives state-sponsored actors the opportunity to wreak havoc in another country.

As far as the numbers go, data is not widely available about typical ransom demands resulting from successful attacks on transport service providers. The most recent general trends showed a median ransom of $47,008.

Recent Ransomware Attacks in Transportation

Transport operators tend to take cybersecurity seriously but attacks still occur with regularity. Threat actors operating ransom-as-a-service programs, lone wolf operators, or state-sponsored groups infiltrate networks and install malware that encrypts important files and systems. Here are some recent ransomware attacks in the transport sector.

Steamship Authority: June 2021

The Steamship Authority of Massachusetts operates ferry services between destinations that include Cape Cod, Nantucket, and Martha’s Vineyard. In June 2021, the company became the victim of a ransomware attack that impacted operations. Tweets from the Steamship Authority’s official account mentioned that customers traveling by ferry could expect some delays to services.

The ransomware didn’t impact important technology used to ensure the safety of ferry transport services, but the constant worry within the sector is that safety compromise could happen one day. A ransomware attack could feasibly impact radar technology for maritime services or air traffic control for aviation, posing significant safety threats to passengers.

Merseyrail: April 2021

Merseyrail operates an urban rail network for customers in the Liverpool area of England. In April 2021, the disclosure of this attack was made public by the perpetrators, who emailed journalists and employees from a privileged Office 365 email account within the Merseyrail network.

According to the email’s subject line, the ransomware strain in question was LockBit. This type of ransomware rapidly propagates through networks and infects multiple other host systems from an initial point of compromise. It appears the Merseyrail attack began with compromising a single privileged account credential either through phishing or brute force methods.

OmniTRAX: January 2021

OmniTRAX operates short rail line services in Colorado. In January 2021, reports emerged in the media that the company was successfully targeted by the Conti ransomware gang. The attack used a double extortion tactic to first exfiltrate data and then lock systems down before demanding a ransom payment.

OmniTRAX decided to take the advice of federal bodies such as the CISA and not pay the ransom. The result was that approximately 70 gigabytes of internal OmniTRAX documents were leaked online. This incident did not result in any disruptions to OmniTRAX operations.

Forward Air: December 2020

Forward Air is a trucking and freight logistics company that provides nationwide coverage for ground transportation in the United States. In December 2020, the company was hit by a ransomware attack by a new strain of ransomware dubbed Hades. The unknown group behind Hades ransomware has targeted several companies using common initial attack vectors such as malware delivered via Google Chrome updates and credential access via VPN connections.

Forward Air did not pay the undoubtedly hefty ransom demanded to return access to compromised systems. The company’s response was to act swiftly and shut down all of their IT systems to contain the attack. The knock-on effects on Forward Air’s operations were so severe that responding to and recovering from the incident cost an estimated $7.5 million. Truck drivers couldn’t access important documents to get clearance for goods through US customs and backlogs ensued.

STM Montreal: October 2020

An October 2020 ransomware attack on Montreal’s STM public transport system resulted in a ransom demand of $2.8 million. Montreal STM decided not to pay the ransom and instead focused on rapid response to the attack. According to a public statement in the wake of a full cyber incident investigation, the organization was able to restore 600 critical servers that were affected by the ransomware attack.

The cost of restoring the servers was estimated at close to $2 million. Bus and Metro services in Montreal weren’t impacted by the attack, although the STM website stayed offline for several days. Personal information about 24 employees and 72 customers were apparently accessed in the attack, but the sensitivity of that information was limited to names and email addresses.

Dealing with Ransomware: Best Practices

The following are some best practices for dealing with the pervasive threat of ransomware:

• Understand that prevention is easier and cheaper than the cure. This means investing in resources and solutions that specifically help combat ransomware before it can cause devastating effects on your IT operations. Advanced email security solutions can protect against suspicious emails while investments in staff awareness and training can reinforce safer cybersecurity practices.
• Get the basics right. Investing in basic technical measures, such as network segmentation, endpoint defense solutions, and patch management software can go a long way towards stopping ransomware attacks in their tracks.
• Have a backup and recovery strategy. The critical nature of transport services calls for a dedicated strategy to rapidly restore encrypted data and systems. If ransomware locks down critical servers and data, it’s vital to be able to restore these systems using saved images, cloud infrastructure, and data backup sources.
• Respond swiftly. The impact of several of the aforementioned ransomware attacks was minimized due to a swift response strategy conducted by the victims. Specialized incident response teams can prove an invaluable investment during a time of crisis. Being able to contain an attack at speed and limit its damage on crucial transport services reduces the consequences of successful attacks.

Threat actors will continue to target companies in the transportation sector over the coming years. It is important for organizations in this sector to stay vigilant and take the threat of ransomware very seriously.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today .