Ransomware represents a major threat to the maritime industry

Corey Ranslem, CEO of Dryad Global, on why the superyacht industry should be paying attention to the escalating sophistication of hackers’ operations…

Ransomware attacks continue to be the most common cyber attacks globally and the recovery time from one can mean the difference between a bump in the road or a significant setback for business.

Over the Easter holiday large parts of Lürssen’s operations came to a standstill due to a ransomware attack, according to the German news outlet Buten un Binnen. It was reported in early April that the Lürssen-Kröger shipyard, located in Schleswig Holstein, was one of the few parts of the company that kept producing. A company spokesperson from Lürssen said: “In coordination with internal and external experts, we immediately initiated all necessary protective measures and informed the responsible authorities.”

While ransomware has been around since the 1980s, the dwell time, or the time it takes for a threat actor to be in the system, is decreasing rapidly. This trend is worrying because it indicates that ransomware attacks are becoming more efficient.

The first known instance of a ransomware attack happened in 1989, in which an evolutionary biologist named Joseph Popp, having been rejected from the World Health Organisation, got revenge by distributing 20,000 floppy disks containing a computer virus disguised as a medical survey to researchers in 90 countries. Victims had to send $189 to a P.O. box in Panama to restore access to their systems.

This more traditional sort of ransomware attack relies on little understanding of how PCs operate as it triggers a message informing the unsuspecting user that their computer will not continue to operate until a certain amount (typically less that $100) is provided. Today’s attacks have much more dire consequences as hackers will hold files hostage by encrypting them until the victim pays up, usually with cryptocurrency.

Corey Ranslem, CEO of Dryad Global, says that “We are expecting a substantial escalation of cyber attacks within the maritime industry against both vessels and maritime-related businesses. Most smaller businesses and vessels don’t have some of the basic protections in place.”

Ranslem highlights the decrease in the time it takes for a company’s internal system to be attacked from the moment it is compromised. He says that the dwell time had decreased from 277 to 4.5 days over the past five years, while the recovery time for a business on average, once an attack has been launched, to get back to full business recovery is 270 days.

The imbalance in the progress of hackers’ dwell time vs company’s recovery time from a cyber attack indicates that most businesses are not prepared for the apparent escalation in the sophistication of attacks. Ranslem points out that hacking organisations now operate just like companies.

“They have offices, they have HR departments, they have payroll departments. So they’re trying to get as much financial gain as possible for the least amount of expense output as possible.”

Corey Ranslem, Dryad Global CEO

Cyber security experts believe recovering from a cyber attack could cost a company up to 10 times more if they are not well protected. This includes operational costs where hardware has been compromised.

According to Ranslem, one of the most common attacks Dryad Global has seen in maritime is referred to as ‘a man in the middle’, typically a compromised email to divert a financial payment into the hacker’s account. However, the most widespread type of cyber attack globally is ransomware.

Ranslem explains that cyber attacks put even some of the biggest companies out of business if they are not prepared for it or don’t have a recovery plan in place. However, he does not advise paying the ransom: “You'd have no idea where that money is going, you have no idea if and what type of data you're going to get back.” In fact, he says, most of the time the targeted company will not get their data back or it may be incomplete. In the worst-case scenario, the system will continue to not operate as the ransomware stays on even after the ransom has been paid.

Asked about Dryad Global’s own tactics, techniques and procedures (TTPs), Ranslem speaks about systematic behaviour by looking for cause and effect to identify patterns. With this approach, instead of studying vulnerabilities, behaviours are analysed in order learn how malicious actors operate and gather data. Ranslem says that when malware gets into the system it behaves in a way that is not normal and thus can be identified immediately. This way, a company need not be worried about a zero-day vulnerability being discovered. Vulnerabilities referred to as zero-day are those that are unknown to vendor.

Ranslem explains that his company collects data specific to the maritime industry every time they conduct a vulnerability assessment. “We have a couple [of] different partners we are working with who have advanced this technology. We are now working to bring it to the maritime industry.” He says that the system will provide the best protection whether the boat has a satellite/internet connection or not.

While the human element is perhaps the first issue that may come to mind when identifying holes in cybersecurity, Ranslem explains that it must not be overlooked. Most of us are transparent with our personal information online, particularly on social media. He emphasises how easy it is to figure out who the crew are on a specific vessel.

It only takes a scroll through crews’ Instagram accounts to be able to penetrate a yacht’s network to get access to information. Illustrating how ridiculously easy it is to discover and deploy personal data, Ranslem recommends changing those challenge questions we get on our banking apps to something that is completely random. If the question is what is your favourite colour, Ranslem advises the answer to be something like ‘octopus’.

So what can individual businesses do to become more robust against ransomware? Ranslem advises an outside third party who knows nothing about the system conducts a survey to identify its weak points at least once a year.

When starting out on the journey to greater cyber security, he says, the best course of action begins with finding a trusted partner and a company that understands the maritime industry. “Providing cyber plans and mitigation for boats is very different than providing for a bank, hospital, government or an office building. There are some major differences between each, so you really want to look at a cyber company that has maritime expertise.”

Source: Superyacht News