Transportation companies provide critical functions in shipping products and carrying people to their destinations. Encompassing both transport and logistics companies, the transportation sector is at a high risk of exposure to ransomware attacks that can disrupt services or even endanger peoples’ welfare. This article examines the current state of ransomware in transportation.
Transportation spans aviation, maritime, and ground services, and operators of all types of service are at risk of ransomware attacks. Three features of transportation make this sector attractive to threat actors:
As far as the numbers go, data is not widely available about typical ransom demands resulting from successful attacks on transport service providers. The most recent general trends showed a median ransom of $47,008.
Transport operators tend to take cybersecurity seriously but attacks still occur with regularity. Threat actors operating ransom-as-a-service programs, lone wolf operators, or state-sponsored groups infiltrate networks and install malware that encrypts important files and systems. Here are some recent ransomware attacks in the transport sector.
Steamship Authority: June 2021
The Steamship Authority of Massachusetts operates ferry services between destinations that include Cape Cod, Nantucket, and Martha’s Vineyard. In June 2021, the company became the victim of a ransomware attack that impacted operations. Tweets from the Steamship Authority’s official account mentioned that customers traveling by ferry could expect some delays to services.
The ransomware didn’t impact important technology used to ensure the safety of ferry transport services, but the constant worry within the sector is that safety compromise could happen one day. A ransomware attack could feasibly impact radar technology for maritime services or air traffic control for aviation, posing significant safety threats to passengers.
Merseyrail: April 2021
Merseyrail operates an urban rail network for customers in the Liverpool area of England. In April 2021, the disclosure of this attack was made public by the perpetrators, who emailed journalists and employees from a privileged Office 365 email account within the Merseyrail network.
According to the email’s subject line, the ransomware strain in question was LockBit. This type of ransomware rapidly propagates through networks and infects multiple other host systems from an initial point of compromise. It appears the Merseyrail attack began with compromising a single privileged account credential either through phishing or brute force methods.
OmniTRAX: January 2021
OmniTRAX operates short rail line services in Colorado. In January 2021, reports emerged in the media that the company was successfully targeted by the Conti ransomware gang. The attack used a double extortion tactic to first exfiltrate data and then lock systems down before demanding a ransom payment.
OmniTRAX decided to take the advice of federal bodies such as the CISA and not pay the ransom. The result was that approximately 70 gigabytes of internal OmniTRAX documents were leaked online. This incident did not result in any disruptions to OmniTRAX operations.
Forward Air: December 2020
Forward Air is a trucking and freight logistics company that provides nationwide coverage for ground transportation in the United States. In December 2020, the company was hit by a ransomware attack by a new strain of ransomware dubbed Hades. The unknown group behind Hades ransomware has targeted several companies using common initial attack vectors such as malware delivered via Google Chrome updates and credential access via VPN connections.
Forward Air did not pay the undoubtedly hefty ransom demanded to return access to compromised systems. The company’s response was to act swiftly and shut down all of their IT systems to contain the attack. The knock-on effects on Forward Air’s operations were so severe that responding to and recovering from the incident cost an estimated $7.5 million. Truck drivers couldn’t access important documents to get clearance for goods through US customs and backlogs ensued.
STM Montreal: October 2020
An October 2020 ransomware attack on Montreal’s STM public transport system resulted in a ransom demand of $2.8 million. Montreal STM decided not to pay the ransom and instead focused on rapid response to the attack. According to a public statement in the wake of a full cyber incident investigation, the organization was able to restore 600 critical servers that were affected by the ransomware attack.
The cost of restoring the servers was estimated at close to $2 million. Bus and Metro services in Montreal weren’t impacted by the attack, although the STM website stayed offline for several days. Personal information about 24 employees and 72 customers were apparently accessed in the attack, but the sensitivity of that information was limited to names and email addresses.
The following are some best practices for dealing with the pervasive threat of ransomware:
Threat actors will continue to target companies in the transportation sector over the coming years. It is important for organizations in this sector to stay vigilant and take the threat of ransomware very seriously.
To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today .