Ransomware Trends In The Aviation & Maritime Industries

The latest analysis carried out by by the security assessment and penetration testing experts at Jumpsec examines the reasons why ransomware attacks are on the rise in the aviation and maritime sectors. 

Aviation organisations in particular are experiencing increased levels of ransomware activity.  

In comparison to the 13% jump in total UK attack figures across all sectors from 2021 to 2022, European-wide reported ransomware attacks against the aviation sector rose between January 2021 and October 2022, constituting some 40% of all attacks in the sector, while attacker-reported ransomware incidents against European aviation organisations increased by over 200% in 2022.

But why such a large rise in attacks on this specific sector? Primarily, transport sector organisations have a distinctive profile from an attacker’s perspective, making them a lucrative prospect.

Cyber criminals know transport sector attacks have a high impact. The potential to cause serious business interruption for transport sector organisations is immense - making airports, shipping ports, rail operators and logistics companies prime ransomware targets.

This stands in stark contrast to other sectors, like construction, which attackers may find easy to breach but potentially difficult to extort, due to the inability to cause meaningful disruption. 

The transport sector also offers an extensive attack surface - transport and logistics organisations are highly dependent on supply chain integration and play a key role within the end-to-end value chain. They also use specific technical equipment like satellite communication and IoT technologies, increasing potential attack vectors leveraged by cyber criminals. Jumpsec has observed instances where interconnected shipping organisations were breached concurrently, illustrating the scope of supply chain risks to transport and logistics organisations. 

What’s more, cunning cyber criminals often capitalise on existing disruption. They strike at disrupted organisations to add to the chaos and maximise extortion potential.

Overall shipping and delivery times have risen, as capacity decreased by an estimated 10-15% globally in 2022 and the container shipping sector is reported to still suffering difficulties as a result if the Covid-19 pandemic.  However, attacker motivations for targeting an airport or shipping facility can be more diverse than simply financial gain, given the strategic geopolitical disruption that can be achieved by nation state threat actors and ecologically or politically motivated disruption caused by hacktivists.

Perhaps the most interesting development is the increase of ransomware attacks in the specific transport sub-sectors  of maritime and aviation.  

Sector-By-Sector Breakdown

The scale and ambition of attackers targeting the transport sector has seen a significant increase from 2021-22. In 2021, a considerable proportion of reported attacks were directed at smaller-sized national motor freight businesses . Jumpsec also observed increased attacks in aerospace, airport authorities, airlines, high-end manufacturers and larger international logistics organisations. 

LockBit ransomware  is one of the most prevalent global threat actor and is responsible for the majority of attacks against European transport organisations, but this varies within some specific sub-sectors such as the maritime, for example. In contrast to other notable attackers of European transport organisations, Lockbit has now claimed 62% of transport sector attacks in Jumpsec's initial ransomware figures for 2023. 

Aviation 

Ransomware trends for European aviation organisations have been broadly similar through 2021, 2022 and 2023 so far. ENISA reports that the highest number of attacks were data-related threats (at 44% of all attacks), followed by ransomware, which constituted 40% of attacks in the period assessed. Most notably, ransomware attacks leapt from 8% of annual attacks in 2021 to 32% in 2022.

In terms of sector-specific threats, airline customer data and original equipment manufacturers (OEM) proprietary information are prime assets targeted by attackers in aviation. Fraudulent website impersonation, particularly of airline companies, also became a significant threat in 2022, while ransomware attacks specifically targeting airports have increased.

  • Attacker-reported ransomware incidents against European aviation organisations increased by over 200% in 2022. Lockbit is marginally the most prevalent threat actor, along with a varied list of other groups similarly targeting the sector. 
  • Airlines experienced notable cyber-attacks and data breaches in 2022, including TAP Portugal, SpiceJet and Pegasus, and aviation technology firm Accelya also had sensitive data leaked by ransomware threat actors. 
  • Swissport International was affected by a severe ransomware attack, causing flight delays. The ransomware group responsible (BlackCat) followed up on their threats by leaking data including sensitive documentation, tax declarations, images of passports and ID cards and the personal information of interviewees. 

Maritime

The maritime sector has produced the most insightful findings and Jumpsec report a notable uptake in attacks in the sector as 2022 progressed. Unexpectedly, given Lockbit’s domination of the ransomware space, the PLAY ransomware group is the most prevalent threat to European maritime organisations. PLAY ransomware disproportionately targets European Maritime sector organisations compared to a generally lower volume of attacks when combining UK and Europe. 

Ransomware is the prime threat to the sector, with data from ENISA suggesting that around 27% of attacks featured ransom demands. Data-related threats and malware made up 20% of attacks on the maritime sector, followed by phishing attacks. 

Attacks in this domain are frequently politically motivated, perpetrated by state-sponsored attackers, motivated by a desire to cause operational disruption by targeting ports and vessels. As the sector experiences increasing attack rates, organisations should need no further motivation to build more effective security controls than being aware of the effects of NotPetya, which crippled shipping giant Maersk in 2017 and cost the firm more than US$300m. 

Other Industries

Current or potential supply chain partners across other transport sectors should clearly take appropriate security precautions to protect their organisation. 

Road:   The automotive industry, especially original equipment manufacturers (OEM) and tier-X suppliers has been targeted by ransomware, leading to production disruptions in 2022. Data-related threats primarily targeting IT systems to acquire customer and employee data as well as proprietary information have also been common.
Road sector breakdown 2021 vs 2022. Interestingly for motor racing fans, the company behind Silverstone, which falls outside the usual categorisation, was also attacked in late 2022. 

Logistics:   Road logistics, often standard freight trucks and smaller national-sized companies, were heavily targeted in 2022, however, attack rates reduced in 2022 – perhaps due to a lack of profitability for attackers, as smaller companies may not be sufficiently lucrative targets (as we have seen with the attack rate in education and construction). 

Manufacturers:   There are no records of road transport manufacturers being targeted prior to 2022.  But now, lesser-known road manufacturing companies and high-profile organisations such as Ferrari, Continental and Vauxhall are facing increasing attacks. 

Transport Authorities:   Several regional road authorities in Spain and Portugal have fallen victim to ransomware attacks. However, as is the case with ransomware generally, public sector organisations are generally not frequently targeted (JUMPSEC data shows that <8% of total UK ransomware reports are public sector).

Geo-political attacks:   While far less frequently targeted in geo-politically motivated attacks than maritime or rail for instance, there have been several transport sector attacks linked to hacktivism, relating to the Ukraine war in 2022. 

Jumpsec report several companies not strictly considered to fall within the transport sector - such as large supermarkets with their own in-house logistics operations - are also subject to the same attacks, purely by virtue of being closely intertwined with road transport in terms of logistics. The retail and wholesale trade organisations and transport and logistics organisations should be highly vigilant in relation to potential risks posed by organisations within their supply chain. 

Across all transport-related subsectors, larger, more cyber mature businesses should treat their supply chain (of typically smaller, less mature businesses) as a part of their own organisation’s digital footprint. They should look to leverage their security resources to support and uplift the resilience of the entire supply chain, reducing the overall risk posed to their organisation in the process.

Jumpsec:

You Might Also Read: 

Maritime Technologies Are Transforming The Shipping Industry:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Cyber Security Insurance - What You Need To Know
A House Of Cards »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Portnox

Portnox

In 2007, Portnox set out to create one of the world’s easiest to use, most loved, value-driven network security solutions — and our customers will tell you we’ve succeeded.

Slovenian Digital Coalition

Slovenian Digital Coalition

Slovenian Digital Coalition is a coalition working in the field of smart cities, e-commerce, e-skills, e-inclusion, cyber security, internet and other areas related to developing the digital society.

A3Sec

A3Sec

A3Sec provides professional solutions in the areas of Cybersecurity, Device Monitoring, Business Intelligence and Big Data.

CPP Group UK

CPP Group UK

CPP Group UK develops products to help insurers add further value to their products and services through its innovative suite of new products in FinTech, InsurTech and cyber security.

Energia Ventures

Energia Ventures

Energia Ventures is a three-month intensive accelerator for entrepreneurs with an innovative business in the energy, smart grid, cleantech, and cybersecurity sectors.

CyberSafe

CyberSafe

CyberSafe is a Portuguese company with a focus on cybersecurity solutions and services including network security, managed security, incident response and forensic analysis.

Cigent Technology

Cigent Technology

Cigent keeps the most valuable asset in your organization safe—your data. Our advanced endpoint and managed network security solutions prevent ransomware and data theft.

QuSecure

QuSecure

QuSecure provides a software-driven security architecture that overlays your current infrastructure and provides next-generation security to protect your entire network from quantum threats.

3B Data Security

3B Data Security

3B Data Security offer a range of Penetration Testing, Digital Forensics, Incident Response and Data Breach Management Services.

Trace3

Trace3

Trace3 is a pioneer in business transformation solutions, empowering organizations to keep pace with the rapid changes in IT innovations and maximize organizational health.

Valtix

Valtix

Valtix is the first and only multi-cloud network security platform delivered as a service that enables cloud teams to meet the most stringent security requirements in a cloud-first & simple way.

ECIT

ECIT

ECIT is your preferred provider of finance and IT services. We believe in the value of combining financial and IT services to streamline and improve the operation of your business.

SequelNet

SequelNet

SequelNet is an emerging MSP, providing 360° business IT solutions and consulting services.

ABM Technology Group

ABM Technology Group

ABM Technology Group (formerly True IT) provide business information technology services, solutions, and consulting for small to mid-sized organizations.

Axient

Axient

Axient advances defense and civilian missions from aerospace to cyberspace with multi-domain test and analysis, mission engineering and operations, and advanced technologies.

Downdetector

Downdetector

Downdetector helps people all over the world understand disruptions to vital services such as the internet, social media, web hosting platforms, banks, games, entertainment, and more.