It was a typical start to the workday for John*, the Electronic Technical Officer (ETO) for a 119m yacht supported by Great Circle Systems. One of John’s daily tasks (tracked on Triton Administrator) is to check email traffic on the vessel’s exchange server. He quickly noticed that the exchange server was not responding and would not restart. When Josh attempted to open the server, an error message appeared that said: MMC could not create the snap-in. The snap-in might not have been installed correctly. A list of Unhandled Exceptions followed, meaning the system could not find the files or assembly listed.
...he found a common error popping up over and over: “Cannot read configuration file”
Then John discovered most of the exchange automatic services were not running and various errors were being generated when he attempted to manually start them. Nothing appeared to be wrong with the server, Outlook simply stated it was trying to connect. But when he opened the Event Viewer he found a common error popping up over and over: “Cannot read configuration file”. Following standard procedure, John restarted the server to clear the problem, but it returned. He then installed any updates and shut down the server again, and checked it physically before restarting, but the issue persisted.
By now it was becoming clear that this was no ordinary computer glitch. John contacted GCS to outline the issue and start looking for answers. Using remote access, GCS searched with John and soon found that the problems were expanding – Shadowprotect, which provides backup and disaster recovery, data protection, and managed system migration for Windows systems had disappeared, and the server was no longer listed in the Symantec server list.
Even with firewalls and anti-virus software, private superyachts, with rotating crew and guests, are especially vulnerable to unwittingly opening the gates for a cyber-attack.
The dreaded answer to what was going on was revealed in the error logs. After attempting to find the files listed in the error logs, John discovered they were replaced with garbled file names or else called "read me to decrypt your informa". This opened a Notepad file like this:
Ransomware attack confirmed – now what?
Ransomware is a type of malware that infects a device, then blocks access to it or to some or all of the information stored on it. In order to unlock either the device or the data, the user is required to pay a ransom, usually in Bitcoin. The term ransomware covers two types of malware: a sort of “Windows blockers” (they block the operating system or browser with a pop-up window) and “encryption ransomware”. The term also includes some of Trojan-Downloaders, namely those that tend to download encryption ransomware upon infection of machine.
In 2015, online criminals used ransomware attacks to extort around $50 million USD from victims. Many people think ransomware is directed at big companies, encrypting their data for a big payout in Bitcoin. However, in 2016 these attacks exploded, taking in up to $1 billion USD according to the FBI. The criminals have cast a wider net, and they do not discriminate between businesses and consumers. Even with firewalls and anti-virus software, private superyachts, with rotating crew and guests, are especially vulnerable to unwittingly opening the gates for a cyber-attack.
Darren Mayhead, CEO of GCS, outlines the threat:
“Typically, ransomware infections occur by way of a drive by; a crew member or guest is surfing web pages that may be dodgy to begin with, or some that are very popular. You want to view something, but a message says you don’t have the correct player, or something similar. The pop up message offers a link to download the player, and the rest is history. Alternatively, crew or guests may open an attachment from a disguised source – but the result is the same – you’re locked out.”
If you have a large number of users (guests and crew) and downtime runs into multiple days, then the cost of that downtime adds up pretty quickly to the kind of ransom amounts that cybercriminals are demanding. Unfortunately for private yachts, they’re vulnerable to those losses whether or not a vessel has taken precautions to back up its data.
In an article published under Tech News on Blackmenrise.org, Richard Walters, senior vice president of security products at Intermedia, states:
“You have to contain the infected systems, then wipe them completely and then restore them,” explained Walters. “That process in more than half these cases took longer than two days.”
For this exact reason, many captains and management companies take their chances and pay the ransom, especially if they don’t want to let the owner know their network has been compromised.
“If you pay the ransom, there’s a one in five chance you won’t get your data back,” explained Walter. “There are much worse odds.”
Outsmarting the Criminals
Fortunately for John’s vessel, GCS has been the IT provider since the boat launched from Blohm + Voss in 2008. Over the years the yacht has retained GCS to install upgrades, keeping the IT network up to date, and provide ongoing technical support for 40 crew. About 18 months ago GCS took all the machines on the vessel’s network and re-routed them to a VM host, creating a virtualized environment. This provides a greater level of protection and isolation.
Once the problem was correctly identified, GCS technicians worked through remote access to restore the server and replaced the database with the virtualized copy, so nothing was lost and the ransomware threat was removed. Replacement was preferred to repair, because the database and log files were mismatched and they risked losing the database and having to start the process all over again. Microsoft does provide built in tools (eseutil/inisteg) for the repair of log files and database files of Exchange Server. However, while these tools are readily available, they each have different purposes and switches, and unless you are absolutely certain of the nature of the problem and which switch to use to resolve the issue, it could cause permanent damage to your databases, causing you to restore and/or creating new databases.
Any yacht with Internet access and an onboard network is vulnerable to ransomware attacks
Although it took a day to stabilize and another two to fully complete the low level cleanup, John’s vessel successfully avoided paying money to ransomware criminals and saved 10 years of data from corruption. The weak point was finally identified in the AV system, which was not covered by the GCS support contract. GCS quickly recommended installing anti-malware software and Kaspersky anti-virus on the AV server to correct the oversight.
This vessel had taken the time and investment to prepare. And although a yacht the size of John’s can afford a full time ETO, even then it required the combined efforts of the GCS support team and John’s expertise to thwart the attack.
Great Circle Systems can prevent and neutralize threats to your vessel’s computer systems
Any yacht with Internet access and an onboard network is vulnerable to ransomware attacks. And with overlapping networks like AV, communications, navigation, lighting, and CCTV, even the biggest boats can overlook security measures when multiple vendors are responsible for separate systems. Without ongoing training and awareness, all it takes is one crew member or guest to click on something that seems innocuous, and it infects your server and freezes up your system.
Great Circle Systems has the tools, virtualized environment, and expertise to prevent and neutralize threats to your vessel’s computer systems. If you would like an assessment of your network’s security and how to protect it from ransomware attacks, contact GCS to schedule an appointment. No matter where your yacht is located, with your permission GCS can set up remote access and review your vessel’s security measures.
With the right IT support and ongoing crew training, you can prevent your yacht from becoming the next victim in the billion dollar ransomware crime wave.