The Yacht Technology Blog

When Ransomware Targets Your Yacht: A case study

Posted by Steve Kahlich on Mar 24, 2017 11:28:04 PM

    

ransom04.jpg

It was a typical start to the workday for John*, the Electronic Technical Officer (ETO) for a 119m yacht supported by Great Circle Systems. One of John’s daily tasks (tracked on Triton Administrator) is to check email traffic on the vessel’s exchange server. He quickly noticed that the exchange server was not responding and would not restart. When Josh attempted to open the server, an error message appeared that said: MMC could not create the snap-in. The snap-in might not have been installed correctly. A list of Unhandled Exceptions followed, meaning the system could not find the files or assembly listed.

...he found a common error popping up over and over: “Cannot read configuration file”

Then John discovered most of the exchange automatic services were not running and various errors were being generated when he attempted to manually start them. Nothing appeared to be wrong with the server, Outlook simply stated it was trying to connect. But when he opened the Event Viewer he found a common error popping up over and over: “Cannot read configuration file”. Following standard procedure, John restarted the server to clear the problem, but it returned. He then installed any updates and shut down the server again, and checked it physically before restarting, but the issue persisted.

By now it was becoming clear that this was no ordinary computer glitch. John contacted GCS to outline the issue and start looking for answers. Using remote access, GCS searched with John and soon found that the problems were expanding – Shadowprotect, which provides backup and disaster recovery, data protection, and managed system migration for Windows systems had disappeared, and the server was no longer listed in the Symantec server list.

Even with firewalls and anti-virus software, private superyachts, with rotating crew and guests, are especially vulnerable to unwittingly opening the gates for a cyber-attack.

The dreaded answer to what was going on was revealed in the error logs. After attempting to find the files listed in the error logs, John discovered they were replaced with garbled file names or else called "read me to decrypt your informa". This opened a Notepad file like this:

ransom01.jpg

Ransomware attack confirmed – now what?

Ransomware is a type of malware that infects a device, then blocks access to it or to some or all of the information stored on it. In order to unlock either the device or the data, the user is required to pay a ransom, usually in Bitcoin. The term ransomware covers two types of malware: a sort of “Windows blockers” (they block the operating system or browser with a pop-up window) and “encryption ransomware”. The term also includes some of Trojan-Downloaders, namely those that tend to download encryption ransomware upon infection of machine.ransom05cost.jpg

In 2015, online criminals used ransomware attacks to extort around $50 million USD from victims. Many people think ransomware is directed at big companies, encrypting their data for a big payout in Bitcoin. However, in 2016 these attacks exploded, taking in up to $1 billion USD according to the FBI. The criminals have cast a wider net, and they do not discriminate between businesses and consumers. Even with firewalls and anti-virus software, private superyachts, with rotating crew and guests, are especially vulnerable to unwittingly opening the gates for a cyber-attack.

Darren Mayhead, CEO of GCS, outlines the threat:

“Typically, ransomware infections occur by way of a drive by; a crew member or guest is surfing web pages that may be dodgy to begin with, or some that are very popular. You want to view something, but a message says you don’t have the correct player, or something similar. The pop up message offers a link to download the player, and the rest is history. Alternatively, crew or guests may open an attachment from a disguised source – but the result is the same – you’re locked out.”

Spearphishing your email

ransom001.jpgIf you have a large number of users (guests and crew) and downtime runs into multiple days, then the cost of that downtime adds up pretty quickly to the kind of ransom amounts that cybercriminals are demanding. Unfortunately for private yachts, they’re vulnerable to those losses whether or not a vessel has taken precautions to back up its data.

In an article published under Tech News on Blackmenrise.org, Richard Walters, senior vice president of security products at Intermedia, states:

“You have to contain the infected systems, then wipe them completely and then restore them,” explained Walters. “That process in more than half these cases took longer than two days.”

For this exact reason, many captains and management companies take their chances and pay the ransom, especially if they don’t want to let the owner know their network has been compromised.

“If you pay the ransom, there’s a one in five chance you won’t get your data back,” explained Walter. “There are much worse odds.”

Outsmarting the Criminals

Fortunately for John’s vessel, GCS has been the IT provider since the boat launched from Blohm + Voss in 2008. Over the years the yacht has retained GCS to install upgrades, keeping the IT network up to date, and provide ongoing technical support for 40 crew. About 18 months ago GCS took all the machines on the vessel’s network and re-routed them to a VM host, creating a virtualized environment. This provides a greater level of protection and isolation.

ransom02.jpg

Once the problem was correctly identified, GCS technicians worked through remote access to restore the server and replaced the database with the virtualized copy, so nothing was lost and the ransomware threat was removed. Replacement was preferred to repair, because the database and log files were mismatched and they risked losing the database and having to start the process all over again.  Microsoft does provide built in tools (eseutil/inisteg) for the repair of log files and database files of Exchange Server. However, while these tools are readily available, they each have different purposes and switches, and unless you are absolutely certain of the nature of the problem and which switch to use to resolve the issue, it could cause permanent damage to your databases, causing you to restore and/or creating new databases.

Any yacht with Internet access and an onboard network is vulnerable to ransomware attacks

Although it took a day to stabilize and another two to fully complete the low level cleanup, John’s vessel successfully avoided paying money to ransomware criminals and saved 10 years of data from corruption. The weak point was finally identified in the AV system, which was not covered by the GCS support contract. GCS quickly recommended installing anti-malware software and Kaspersky anti-virus on the AV server to correct the oversight.

This vessel had taken the time and investment to prepare. And although a yacht the size of John’s can afford a full time ETO, even then it required the combined efforts of the GCS support team and John’s expertise to thwart the attack.

Great Circle Systems can prevent and neutralize threats to your vessel’s computer systems

Any yacht with Internet access and an onboard network is vulnerable to ransomware attacks. And with overlapping networks like AV, communications, navigation, lighting, and CCTV, even the biggest boats can overlook security measures when multiple vendors are responsible for separate systems. Without ongoing training and awareness, all it takes is one crew member or guest to click on something that seems innocuous, and it infects your server and freezes up your system.

ransom03.jpg

Great Circle Systems has the tools, virtualized environment, and expertise to prevent and neutralize threats to your vessel’s computer systems. If you would like an assessment of your network’s security and how to protect it from ransomware attacks, contact GCS to schedule an appointment. No matter where your yacht is located, with your permission GCS can set up remote access and review your vessel’s security measures.

With the right IT support and ongoing crew training, you can prevent your yacht from becoming the next victim in the billion dollar ransomware crime wave.

Schedule a Review of your network protection

 

*The ETO’s name has been changed to respect the vessel’s privacy policy.

Topics: yacht network design, yacht computers, vessel remote support, Ransomware, cyber attack

JD_Crawford_head_shotDarren and the GCS team have been instrumental in the development and deployment of several carrier grade IT networks for large scale, Savant-based super-yacht projects where the technology infrastructure needed to be extremely reliable. 

 

The capabilities of the GCS team have proven instrumental in helping us deliver a world class technology experience to some of the most prestigious yachts in the world.

 

J.D. Crawford of Savant Systems

Lady_Sheridan_from_Keith_Moore

I have been working with Great Circle Systems since 2006 when they did the installation of all our networking and Internet communications equipment on our boat being built in Germany.

 

The equipment they recommended and installed was exactly as we required.  We have had extremely good results with all of their equipment and it has performed as they had advised.

 

I would highly recommend them to all fellow captains.

 

Captain Keith T. Moore of M/Y Lady Sheridan

CE_W_Michael_Hummel_of_MY_TVTriton Administrator has proven to be the perfect tool for us on M/Y TV, which is a 78 meter Luerssen yacht.

 

Triton has comprehensive essential features plus any additional features one can possibly need. It is still easy to use and has a swift support team to implement customer-specific wishes, such as individual day logs, etc.

 

W. Michael Hummel, Chief Engineer of M/Y TV

 

Captain Bruno Herregods talks about Great Circle Systems tech support. 

Get FREE Yacht Technology Blog articles sent to your email inbox!

Download your FREE ebook.

Are you in the market for yacht management software? Click on the Yacht Management Software Buyer's Guide below to download your copy of this enlightening ebook.



yacht management software buyers guide

Download your Free Internet Bandwidth Calculator 

Want to know how much Internet bandwidth you need to support your vessel's guests and crew? Click below to download your free bandwidth calculator.



Bandwidth_calculator

Our readers love these articles:

Download your FREE checklist: "Documents to Keep On Board for MLC (Maritime Labour Certificate) 2006 Compliance" 

Do you have the right documents on board to comply with MLC (Maritime Labour Certificate) 2006 requirements? Click on the image below to download your free checklist.



file-24075857

Download your FREE list: "10 Document Deficiencies MLC 2006 Inspectors Hate to Discover" 

Our handy list helps you avoid documentation pitfalls that are red flags for inspectors. Click on the image below to download your free list.



file-24078962