INTRODUCTION

A cyber attack is a set of actions performed by threat actors, who try to gain unauthorized
access, steal data or cause damage to computers, computer networks, or other computing
systems. A cyber attack can be launched from any location. The attack can be performed by
an individual or a group using one or more tactics, techniques and procedures (TTPs).

The individuals who launch cyber attacks are usually referred to as

cybercriminals, threat actors, bad actors, or hackers. They can work alone, in collaboration
with other attackers, or as part of an organized criminal group. They try to identify
vulnerabilities—problems or weaknesses in computer systems—and exploit them to further
their goals.

Cybercriminals can have various motivations when launching cyber attacks. Some carry out
attacks for personal or financial gain. Others are “hacktivists” acting in the name of social or
political causes. Some attacks are part of cyberwarfare operations conducted by nation states

1
against their opponents, or operating as part of known terrorist groups. This is part of an
extensive series of guides about application security.

Types of Cyber Attacks

While there are thousands of known variants of cyber-attacks, here are a few of the most
common attacks experienced by organizations every day.

Ransomware

Ransomware is malware that uses encryption to deny access to resources (such as the user’s
files), usually in an attempt to compel the victim to pay a ransom. Once a system has been
infected, files are irreversibly encrypted, and the victim must either pay the ransom to unlock
the encrypted resources, or use backups to restore them.

Ransomware is one of the most prevalent types of attacks, with some attacks using extortion
techniques, such as threatening to expose sensitive data if the target fails to pay the ransom.
In many cases, paying the ransom is ineffective and does not restore the user’s data.

Malware

There are many types of malware, of which ransomware is just one variant. Malware can be
used for a range of objectives from stealing information, to defacing or altering web content,
to damaging a computing system permanently.

The malware landscape evolves very quickly, but the most prevalent forms of malware are:

 Botnet Malware—adds infected systems to a botnet, allowing attackers to use them for
criminal activity
 Crypto miners—mines cryptocurrency using the target’s computer
 Info stealers—collects sensitive information on the target’s computer
 Banking trojans—steals financial and credential information for banking websites
 Mobile Malware—targets devices via apps or SMS

2
  Rootkits—gives the attacker complete control over a device’s operating system

DoS and DDoS Attacks

Denial-of-service (DoS) attacks overwhelm the target system so it cannot respond to

legitimate requests. Distributed denial-of-service (DDoS) attacks are similar but involve
multiple host machines. The target site is flooded with illegitimate service requests and is
forced to deny service to legitimate users. This is because servers consume all available
resources to respond to the request overload.

These attacks don’t provide the attacker with access to the target system or any direct benefit.
They are used purely for the purpose of sabotage, or as a diversion used to distract security
teams while attackers carry out other attacks.

Firewalls and network security solutions can help protect against small-scale DoS attacks. To
protect against large scale DDoS, organizations leverage cloud-based DDoS protection which
can scale on demand to respond to a huge number of malicious requests.

Phishing and Social Engineering Attacks

Social engineering is an attack vector that relies heavily on human interaction, used in over
90% of cyberattacks. It involves impersonating a trusted person or entity, and tricking
individuals into granting an attacker sensitive information, transferring funds, or providing
access to systems or networks. Phishing attacks occur when a malicious attacker obtains
sensitive information from a target and sends a message that appears to be from a trusted and
legitimate source. The name “phishing” alludes to the fact that attackers are “fishing” for
access or sensitive information, baiting the unsuspecting user with an emotional hook and a
trusted identity. As part of a phishing message, attackers typically send links to malicious
websites, prompt the user to download malicious software, or request sensitive information
directly through email, text messaging systems or social media platforms. A variation on
phishing is “spear phishing”, where attackers send carefully crafted messages to individuals
with special privileges, such as network administrators, executives, or employees in financial
roles.

3
MitM Attacks

Man-in-the-Middle (MitM) attacks are breaches that allow attackers to intercept the data
transmitted between networks, computers or users. The attacker is positioned in the “middle”
of the two parties and can spy on their communication, often without being detected. The
attacker can also modify messages before sending them on to the intended recipient. You can
use VPNs or apply strong encryption to access points to protect yourself from MitM attacks.

Fileless Attacks

Fileless attacks are a new type of malware attack, which takes advantage of applications
already installed on a user’s device. Unlike traditional malware, which needs to deploy itself
on a target machine, fileless attacks use already installed applications that are considered
safe, and so are undetectable by legacy antivirus tools. Fileless malware attacks can be
triggered by user-initiated actions, or may be triggered with no user action, by exploiting
operating system vulnerabilities. Fileless malware resides in the device’s RAM and typically
access native operating system tools, like PowerShell and Windows Management
Instrumentation (WMI) to inject malicious code. A trusted application on a privileged system
can carry out system operations on multiple endpoints, making them ideal targets for fileless
malware attacks.

Cyber Attack Prevention: Common Cybersecurity Solutions

Following are a few security tools commonly deployed by organizations to prevent cyber-
attacks. Of course, tools are not enough to prevent attacks—every organization needs trained
IT and security staff, or outsourced security services, to manage the tools and effectively use
them to mitigate threats.

Web Application Firewall (WAF)

A WAF protects web applications by analyzing HTTP requests and detecting suspected
malicious traffic. This may be inbound traffic, as in a malicious user attempting a code
injection attack, or outbound traffic, as in malware deployed on a local server communicating
with a command and control (C&C) center. WAFs can block malicious traffic before it

4
reaches a web application, and can prevent attackers from exploiting many common
vulnerabilities—even if the vulnerabilities have not been fixed in the underlying application.
It complements traditional firewalls and intrusion detection systems (IDS), protecting attacks
performed by attackers at the application layer (layer 7 of the OSI network model).

DDoS Protection

A DDoS protection solution can protect a network or server from denial of service attacks. It
does this using dedicated network equipment, deployed on-premises by the organization, or
as a cloud-based service. Only cloud based services are able to deflect large scale DDoS
attacks, which involve millions of bots, because they are able to scale on demand. A DDoS
protection system or service monitors traffic to detect a DDoS attack pattern, and distinguish
legitimate from malicious traffic. When it detects an attack, it performs “scrubbing”,
inspecting traffic packets and dropping those that are deemed malicious, preventing them
from reaching the target server or network. At the same time, it routes legitimate traffic to the
target system to ensure there is no disruption of service.

Bot Protection

Bots make up a large percentage of Internet traffic. Bots put a heavy load on websites, taking
up system resources. While some bots are useful (such as bots that index websites for search
engines), others can perform malicious activities. Bots can be used for DDoS, to scrape
content from websites, automatically perform web application attacks, spread spam and
malware, and more. A bot protection system detects and blocks bad bots, while allowing
legitimate bots to perform activities like search indexing, testing and performance
monitoring. It does this by maintaining a large database of known bot sources, and detecting
behavior patterns that might indicate a bot is malicious.

Cloud Security

Almost all organizations today manage infrastructure, applications, and data in the cloud.
Cloud systems are especially vulnerable to cyber threats, because they are commonly

5
exposed to public networks, and often suffer from a low level of visibility, because they are
highly dynamic and running outside the corporate network. Cloud providers take
responsibility for securing their infrastructure, and offer built-in security tools that can help
cloud users secure their data and workloads. However, first-party cloud security tools are
limited, and there is no guarantee that they are being used properly and all cloud resources
are really secured. Many organizations use dedicated cloud security solutions to ensure that
all sensitive assets deployed in the cloud are properly protected.

Database Security

Databases typically hold sensitive, mission critical information, and are a prime target for
attackers. Securing databases involves hardening database servers, properly configuring
databases to enable access control and encryption, and monitoring for malicious
activities.Database security solutions can help ensure a consistent level of security for
databases across the organization. They can help prevent issues like excessive privileges,
unpatched vulnerabilities in database engines, unprotected sensitive data, and database
injection.

API Security

Modern applications use application programming interfaces (APIs) to communicate with

other applications, to obtain data or services. APIs are used to integrate systems inside an
organization, and are increasingly used to contact and receive data from systems operated by
third parties. All APIs, especially public APIs that are accessed over the Internet, are
sensitive to attacks. Because APIs are highly structured and documented, they are easy for
attackers to learn and manipulate. Many APIs are not properly secured, may be weakly
authenticated, or exposed to vulnerabilities like cross site scripting (XSS), SQL injection, and
man in the middle (MitM) attacks. Securing APIs requires a variety of measures, including
strong multi factor authentication (MFA), secure use of authentication tokens, encryption of
data in transit, and sanitization of user inputs to prevent injection attacks. API solutions can
help enforce these security controls for APIs in a centralized manner.

Threat Intelligence

6
Threat intelligence operates in the background and supports many modern security tools. It is
also used directly by security teams when investigating incidents. Threat intelligence
databases contain structured information, gathered from a variety of sources, about threat
actors, attack tactics, techniques, and procedures, and known vulnerabilities in computing
systems. Threat intelligence solutions gather data from a large number of feeds and
information sources, and allows an organization to quickly indicators of compromise (IOCs),
use them to identify attacks, understand the motivation and mode of operation of the threat
actor, and design an appropriate response.

ferry service

A ferry is a watercraft that carries passengers, and sometimes vehicles and cargo,
across a body of water. A small passenger ferry with many stops, such as
in Venice, Italy, is sometimes called a water bus or water taxi.

Ferries form a part of the public transport systems of many waterside cities and islands,
allowing direct transit between points at a capital cost much lower than bridges or tunnels.
Ship connections of much larger distances (such as over long distances in water bodies like
the Mediterranean Sea) may also be called ferry services, and many carry vehicles.
The profession of the ferryman is embodied in Greek mythology in Charon, the boatman who
transported souls across the River Styx to the Underworld.
Speculation that a pair of oxen propelled a ship having a water wheel can be found in 4th
century Roman literature "Anonymus De Rebus Bellicis". Though impractical, there is no

7
reason why it could not work and such a ferry, modified by using horses, was used in Lake
Champlain in 19th-century America. See Experiment (horse powered boat).
In 1850 the roll-on roll-off (ro-ro) ferry, Leviathan designed to carry freight wagons
efficiently across the Firth of Forth in Scotland started to operate between Granton, near
Edinburgh, and Burntisland in Fife. The vessel design was highly innovative and the ability
to move freight in great quantities and with minimal labour signalled the way ahead for sea-
borne transport, converting the ro-ro ferry from an experimental and marginal ship type into
one of central importance in the transport of goods and passengers.[1]
In 1871, the world's first ferry ship was created in Istanbul. The iron steamship,
named Suhulet (meaning ‘ease’ or ‘convenience’) was designed by the general manager of
Şirket-i Hayriye (Bosporus Steam Navigation Company), Giritli Hüseyin Haki Bey and built
by a British shipbuilder. It weighed 157 tons. It was 155 feet (47 meters) long, 27 feet (8.2
meters) wide, and had a draft of 9 feet (2.7 meters). It was capable of travelling up to 6 knots
with the side wheel turned by its 450-horsepower, single-cylinder, two-cycle steam engine.
Launched in 1872, Suhulet's unique features consisted of a symmetrical entry and exit for
horse carriages, along with a dual system of hatchways. The ferry operated on the Üsküdar-
Kabataş route, which is still serviced by modern ferries today.

Ransomware attack hits ferry service to Cape Cod, Nantucket and Martha's
Vineyard
WASHINGTON — The Steamship Authority of Massachusetts ferry service fell
victim to a ransomware attack Wednesday, the latest cyber assault affecting
logistics and services in the United States.

The Steamship Authority is the largest ferry service offering daily fares from Cape
Cod to neighboring islands Nantucket and Martha's Vineyard off the coast of
Massachusetts, according to the company's website.

"The Woods Hole, Martha's Vineyard and Nantucket Steamship Authority has been the target
of a ransomware attack that is affecting operations as of Wednesday morning," the company
wrote in a statement, adding that customers may experience delays.

A "team of IT professionals" is investigating the impact of the cyberattack, according to the

company.

The attack comes as summer tourists begin to flock to the iconic Massachusetts vacation
spots.

8
The Steamship Authority said in a statement to CNBC that it is working with federal, state
and local authorities to determine the extent and origin of the ransomware attack.

"There is no impact to the safety of vessel operations, as the issue does not affect radar or
GPS functionality," said Sean Driscoll, communications director for the authority.

A spokesperson from the U.S. Coast Guard 1st District said that the ransomware attack posed
"no threat to passenger safety."

The spokesperson added the U.S. Coast Guard 1st District is working in conjunction with the
Massachusetts Cybersecurity Unit and that the FBI is currently leading the investigation.

Ransomware attacks involve malware that encrypts files on a device or network that results in
the system becoming inoperable. Criminals behind these types of cyberattacks typically
demand a ransom in exchange for the release of data.

The ransomware attack against the ferry service comes on the heels of a cyberattack Sunday
on Brazil's JBS, the world's largest meatpacker. The breach disrupted meat production in
North America and Australia, triggering concerns over rising meat prices.

On Tuesday, the company said it had made "significant progress in resolving the cyberattack"
and that the "vast majority" of beef, pork, poultry and prepared foods plants would resume
operations by Wednesday, according to a statement.

The White House said Tuesday that the ransomware attack on JBS is believed to have
originated from a criminal organization likely based in Russia.

Last month, a criminal cybergroup known as DarkSide struck the jugular of America's fuel
pipelines with a sweeping ransomware attack on Colonial Pipeline.

The cyberattack forced the company to shut down approximately 5,500 miles of pipeline,
leading to a disruption of nearly half of the East Coast fuel supply and causing gasoline
shortages in the Southeast. Colonial Pipeline paid the ransom to hackers, one source familiar
with the situation confirmed to CNBC.

9
Massachusetts' largest ferry service hit by ransomware attack

The Steamship Authority, Massachusetts' largest ferry service, was hit by a ransomware
attack on Wednesday which led to ticketing and reservation disruptions.

"The Woods Hole, Martha's Vineyard, and Nantucket Steamship Authority has been the
target of a ransomware attack that is affecting operations as of Wednesday morning," the
ferry service said on Wednesday.

"There is no impact to the safety of vessel operations, as the issue does not affect radar or
GPS functionality. Scheduled trips to both islands continue to operate, although customers
may experience some delays during the ticketing process."

In an update issued today, the Steamship Authority says that it's still working on restoring
services, with trips already scheduled to operate without disruption.

However, the availability of credit card systems for processing vehicle and passenger
tickets is limited, so paying in cash is preferred.

"The Steamship Authority is continuing to work with our team internally, as well as with
local, state, and federal officials externally, to address Wednesday's incident," the service
added.

"The ticketing processes, including online and phone reservations, will continue to be
affected today, Thursday, June 3, 3021."

"At this point, customers remain unable to book or change reservations online or by phone,
and the use of cash is recommended as there is limited access to credit card systems at some
terminal and parking locations."

"There is no impact to the safety of vessel operations, as the issue does not affect radar or
GPS functionality. Scheduled trips to both islands continue to operate, although customers
may experience some delays during the ticketing process."

In an update issued today, the Steamship Authority says that it's still working on restoring
services, with trips already scheduled to operate without disruption.

However, the availability of credit card systems for processing vehicle and passenger
tickets is limited, so paying in cash is preferred.

10
"The Steamship Authority is continuing to work with our team internally, as well as with
local, state, and federal officials externally, to address Wednesday's incident," the service
added.

"The ticketing processes, including online and phone reservations, will continue to be
affected today, Thursday, June 3, 3021."

"At this point, customers remain unable to book or change reservations online or by phone,
and the use of cash is recommended as there is limited access to credit card systems at some
terminal and parking locations."

In June 2021, the Steamship Authority, a ferry service operating in Massachusetts, USA, was
hit by a ransomware attack. The attack disrupted the ferry service's operations, including
ticket reservations, online booking, and parking lot services. The Steamship Authority's
website was also taken offline as a result of the attack.

The ransomware attack was carried out by a group of cybercriminals known as "REvil," who
demanded a ransom payment of $5.2 million in exchange for the decryption key to unlock the
affected systems. The Steamship Authority did not pay the ransom and instead worked to
restore its systems and services.

The attack highlights the significant risk that ransomware poses to organizations of all sizes,
including critical infrastructure. It also emphasizes the importance of implementing robust
cybersecurity measures to prevent and mitigate cyber attacks. The Steamship Authority has
since worked to enhance its cybersecurity defences and implement additional security
measures to prevent future attacks.

Introduction:

In the modern era, where technology plays an increasingly vital role in our lives, the threat of
cyber attacks looms large. One such incident that shook the maritime industry occurred in
June 2021 when the Steamship Authority, a ferry service operating in Massachusetts, USA,
fell victim to a ransomware attack. This essay examines the Steamship Authority ransomware
attack, its impact, the response of the organization, and the lessons learned regarding the
importance of cybersecurity.

Body:

1. Background:

11
The Steamship Authority, a prominent ferry service provider, has been facilitating
transportation between the mainland and the islands of Martha's Vineyard and Nantucket for
decades. In the digital age, the company adopted various technological advancements to
streamline operations, enhance customer experience, and improve efficiency. However, this
reliance on technology also exposed the organization to potential cyber threats.

2. The Ransomware Attack:

In June 2021, the Steamship Authority became a target of a ransomware attack, an

increasingly common form of cybercrime. The attack disrupted critical systems, affecting
ticket reservations, online booking, and parking lot services. As a result, the company's
operations were severely impacted, inconveniencing thousands of passengers and causing
financial losses.

3. Impact and Response:

The attack rendered the Steamship Authority's website inaccessible and disrupted its ability
to provide essential services. Passengers faced difficulties in making reservations, altering
travel plans, and accessing important information. The organization swiftly responded by
isolating affected systems, contacting law enforcement agencies, and launching an
investigation to identify the culprits. Additionally, they communicated with passengers,
providing regular updates, and alternative means of ticket purchasing.

4. Ransom Demand and Decision:

The cybercriminals behind the attack, known as the REvil group, demanded a ransom
payment of $5.2 million in exchange for the decryption key to unlock the affected systems.
Taking a firm stance against capitulating to ransom demands, the Steamship Authority chose
not to pay. Instead, they focused on restoring their systems through data recovery and
rebuilding affected infrastructure.

5. Lessons Learned:

The Steamship Authority ransomware attack serves as a wake-up call to organizations across
industries regarding the pressing need for robust cybersecurity measures. Several key lessons
can be derived from this incident:

12
 a. Prioritize Cybersecurity: Organizations must prioritize cybersecurity and implement
proactive measures to prevent and mitigate cyber threats. Regular security audits,
vulnerability assessments, and employee training programs are essential components of a
robust cybersecurity framework.

b. Regular Backups: Maintaining regular backups of critical data is crucial to enable

recovery in the event of a cyber attack. Backups should be stored securely and tested
periodically to ensure their integrity.

c. Incident Response Planning: Developing a comprehensive incident response plan is

essential to minimize the impact of a cyber attack. Organizations should define roles and
responsibilities, establish communication channels, and conduct regular drills to test the
effectiveness of the plan.

d. Collaborate with Law Enforcement: Timely collaboration with law enforcement agencies
can aid in the investigation, apprehension, and prosecution of cybercriminals. It is crucial for
organizations to report cyber attacks promptly to the appropriate authorities.

Conclusion:

The Steamship Authority ransomware attack serves as a stark reminder of the vulnerability of
organizations to cyber threats and the need for robust cybersecurity practices. By learning
from this incident and implementing the lessons gleaned, organizations can strengthen their
defenses and protect critical infrastructure, customer data, and operations from malicious
actors. Cybersecurity must be treated as a priority, and continuous efforts to enhance security
measures must be undertaken to safeguard against evolving cyber threats.

13