CGA CMG hit with Ragnar

7983778279?profile=RESIZE_400xFrench container shipping company CMA CGM was hit by a major cyber-attack on 27 September 2020, which disrupted its daily operations.  According to Lloyd’s of London Intelligence sources, several of the company’s Chinese offices were affected by Ragnar Locker ransomware.   CMA CGM initially claimed that their booking system was disabled by an internal IT issue, but later confirmed “external access to CMA CGM IT applications are currently unavailable” after the ransomware attack.

CMA CGM is working to reverse the impact of a ransomware attack that shut down many of its online services.  The cyber-attack was launched using Ragnar Locker, a data encryption malware that has affected other companies.  It is like an incident involving Portuguese energy firm EDP Renewables earlier in 2020.  In an email sent on the 27th and seen by researchers, the hacker requested the French carrier to contact it within two days “via live chat and pay for the special decryption key.”  The exact price was not shared outside the company.

In a customer advisory, CMA CGM said the websites of the company and its two subsidiaries, ANL and CNC, had become unavailable alongside its IT applications “due to an internal IT infrastructure issue.”  CMA CGM staff in Europe report they have been told not to use any company IT equipment. 

7983779252?profile=RESIZE_400xRagnar Locker is a ransomware that affects devices running Microsoft Windows operating systems.  It was initially observed towards the end of December 2019 as part of a series of attacks against compromised networks.  This malware is deployed manually after an initial compromise, network reconnaissance and pre-deployed tasks on the network.  These tactics show this is a more complex operation than most ransomware propagation campaigns.   Before starting the Ragnar Locker ransomware, attackers inject a module capable of collecting sensitive data from infected machines and upload it to their servers.  Next, threat actors behind the malware notify the victim the files will be released to the public if the ransom is not paid.[1]

Maze and Ragnar - Sophos reported 2 week ago that a cyber-attack in July 2020 showed bad actors repeatedly attempting to infect computers with Maze ransomware.  Analysts discovered that the attackers had adopted a technique pioneered by the threat actors behind Ragnar Locker earlier in 2020, in which the ransomware payload was distributed inside of a virtual machine (VM).[2]  In the Maze incident, the threat actors distributed the file-encrypting payload of the ransomware on the VM’s virtual hard drive (a VirtualBox virtual disk image (.vdi) file), which was delivered inside of a Windows .msi installer file more than 700MB in size.  The attackers also bundled a stripped down, 11 year old copy of the VirtualBox hypervisor inside the .msi file, which runs the VM as a “headless” device, with no user-facing interface. 7983779479?profile=RESIZE_400x The Maze-delivered virtual machine was running Windows 7, as opposed to the Windows XP VM distributed in the Ragnar Locker incident.  A threat hunt through telemetry data initially indicated the attackers may have been present on the attack target’s network for at least three days prior to the attack beginning in earnest, but subsequent analysis revealed that the attackers had penetrated the network at least six days prior to delivering the ransomware payload.

This current cyber investigation also turned up several installer scripts that revealed the attackers’ tactics, and found that the attackers had spent days preparing to launch the ransomware by building lists of IP addresses inside the target’s network, using one of the target’s domain controller servers, and exfiltrating data to cloud storage provider Mega.nz.  These threat actors initially demanded a $15 million ransom from the target of the attack.  The victim company did not pay the ransom.

Last week Red Sky Alliance analysts identified CMS CGM’s name being used as part of a malicious email using the subject line “RE: CMA CGM CHRISTOPHE COLOMB – Bridge” (TR-20-265-001_Vessel_Impersonation).  This email contained a malicious attachment containing TrojanDownloader:O97M/Emotet.CSK!MTB malware.   This malware is typically used to steal sensitive information from a victim’s network but can also be used to download other malware including, but not limited, to ransomware.  This demonstrates the value of pro-active, underground research to help identify vulnerabilities. 

7983779887?profile=RESIZE_584x

Analysts have determined that this email screen shot is likely from this CMA CGM attack, as malicious emails often play a critical role in activating malware on a company’s network.  That email had a “redacted” message body which would force many unwitting recipients into opening the attachment out of curiosity.

Attackers often use ransomware to earn a profit, however Ragnar has taken their attacks a step further.  If a company can restore their data from backups and avoid paying the ransom, attackers will expose sensitive information online which was stolen as part of the ransomware attack.  This attack would make CMA CGM the fourth major container shipping carrier known to have fallen victim to such a major cyber incident.

These analytical results illustrate how a recipient could be fooled into opening an infected email.  They also demonstrate how common it is for attackers to specifically target pieces of a company’s supply chain to build up to cyber-attacks on the larger companies.  Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

With cyber-attacks ever increasing in frequency and severity, supposing that maritime and shipping organizations can defend against every potential attack scenario is plain unrealistic.  Yet, maritime organizations need to combine cybersecurity with business resilience to be cyber resilient.  As the maritime sector continues its digitalization quest, safer shipping programs are a competitive strategic advantage.

Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.  Specifically, our analysts have been collecting and analyzing on maritime cyber security issues for years.  We publish weekly Vessel Impersonation report, associate IOCs and a Maritime Watchlist.     

Red Sky Alliance can help protect against attacks as described above.  We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

The installation, updating and monitoring of firewalls, cyber security collection and analysis and proper employee training are keys to blocking malicious attacks.  Please feel free to contact our analyst team for research assistance and RedXray Cyber Threat Analysis report on your organization.

Red Sky Alliance is in New Boston, NH USA.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

 

 

[1] https://resources.infosecinstitute.com/ragnar-locker-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/

[2] https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!