Skip to main content

Ransomware trends: the European transport sector

By April 23, 2023March 18th, 2024Insights, Ransomware11 min read

As Aviation, Maritime, Rail and Road transport organisations are reportedly experiencing increased levels of  ransomware activity across Europe as per ENISA’s recent report, JUMPSEC analysts have combined the findings with JUMPSEC’s attacker reported data scraped from a variety of sources (including the dark web) providing further context to the risks currently posed to European transport organisations. JUMPSEC’s analysis expands ENISA’s euro-centric view with UK data and perspectives.

Introduction

In comparison to the 13% jump in total UK attack figures across all sectors from 2021 to 2022, European wide ransomware attacks reported against the transport sector specifically rose by 41% in 2022.

There are a number of reasons why the transport sector might be experiencing higher than average levels of ransomware activity. Transport sector organisations have a distinctive profile from an attacker’s perspective that make them a lucrative prospect which is worth understanding, particularly within the current threat landscape:

  • High-impact attacks – The potential to cause serious business interruption for Transport sector organisations is immense – making airports, shipping ports, rail operators, and logistics companies prime ransomware targets, unlike other sectors which attackers initially found easy to breach but potentially difficult extort due an inability to cause meaningful disruption (i.e. construction, as per this JUMPSEC report).
  • An extensive attack surface – Transport and logistics organisations are highly dependent on supply chain integration and play a key role within the end-to-end value chain. They also use specific technical equipment like satellite communication and IoT technologies which increase the potential attack vectors leveraged by cyber criminals. As detailed further in the ‘Maritime’ section of this report, JUMPSEC have also observed instances where interconnected shipping organisations were breached concurrently, illustrating the scope of supply chain risks to transport and logistics organisations.
  • Capitalising on existing disruption – Cyber criminals are known to strike at organisations which are already in a state of disruption to add to the chaos and maximise the potential for extortion. To name a few recent instances – the energy crisis, the post-Brexit lorry drivers’ debacle, and the chaos experienced by thousands of passengers at airports last year. Overall shipping and delivery times have also fallen as capacity decreased by an estimated 10-15% globally in 2022.

Additionally, attacker motivations for targeting an airport or shipping facility can be more diverse than simple financial gain, given the strategic geopolitical disruption that can be achieved by ‘nation state’ threat actors, and ecologically motivated disruption caused by hacktivists (generally via DDoS attacks).

Recent attacks reported against notable companies like Continental, Ferrari, Vauxhall, TAP Portugal, Direct Ferries, Swissport, UK-based Charles Kendall may have elevated the transport sectors’ risk awareness.

General sector by sector

The top 10 most affected European countries were attacked from January 2021 to March 2023.

Country by country percentage

Total sector-by-sector breakdown from January 2021 to March 2023.

However, perhaps the most interesting development has been the notable increase of ransomware attacks within specific Transport sub-sectors – particularly in Maritime and Aviation in 2022. Further details, along with additional threat actor context are provided below.

Sector-by-sector breakdown

The scale and ambition of attackers targeting the transport sector has seen a significant increase from 2021-22. Whereas in 2021 a considerable proportion of reported attacks were directed at smaller sized national motor freight businesses (labelled ‘Road (Logistics)’ below), we have witnessed an increased number of attacks in areas like aerospace, airport authorities, airlines, high-end manufacturers, and larger international logistics organisations.

Annual subsector increase from 2021 to 2022

Graph showing the attacker reported breakdown of transport sectors (Aviation, Maritime etc.) across all European countries including the UK.

It should be clarified that broadly referring to the ‘transport sector’, or more specifically Aviation, Maritime, Rail, and particularly ‘Road’ as tightly defined sectors with common characteristics (as per the ENISA report) can be imprecise, and thus JUMPSEC have categorised victim organisations as:

  • Logistics (General) refers to international or global logistics companies generally encompassing Road, Maritime, Aviation and Rail operations – as opposed to what we have termed ‘Road (Logistics)’ which generally refers to national haulage organisations.
  • Road (Manufacturers) has been split into separate sub-categories as manufacturing organisations have a separate threat profile and operational differences which are worth distinguishing.
  • Other miscellaneous sectors which are less frequently targeted yet notably distinct sub-sectors, such Aerospace, Local Authorities, and general Transport Manufacturing are also sub-categorised.

As a general rule, LockBit ransomware (the most prevalent threat actor globally) is responsible for the majority of attacks against European transport organisations, however, this varies within some specific sub sectors such as Maritime for example.

Most prevalent Transport sector attackers

In contrast to other notable attackers of European transport organisations, Lockbit has now claimed 62% of transport sector attacks in JUMPSEC’s initial ransomware figures for 2023.

Maritime

The Maritime sector has arguably produced the most insightful findings – as JUMPSEC have seen a notable uptake in attacks in the sector as 2022 progressed. Unexpectedly, given Lockbit’s domination of the ransomware space, PLAY ransomware is the most prevalent threat to European Maritime organisations.

Top 5 most prevalent groups in Maritime

PLAY ransomware disproportionately targets European Maritime sector organisations compared to a generally lower volume of attacks when combining UK and Europe.

This category could perhaps more accurately be termed ‘shipping logistics companies’ or ‘ports’ which, despite the occasional yacht services company, is essentially what the vast majority of organisations affected by ransomware attacks in the sector are.

As the sector experiences increasing attack rates, organisations should need no further motivation to build more effective security controls than the effects of NotPetya which crippled shipping giant Maersk in 2017 and cost the firm >$300m. More recent targets within the Maritime sector include attacks on the Port of Houston and the Port of London Authorities, both of which are believed to have been politically motivated.

JUMPSEC has also observed reported attacks on several Swedish shipping logistics companies, targeted by PLAY ransomware in a single week in December 2022, in what was potentially a coordinated supply chain attack. Similarly, three connected Greek and Italian shipping logistics companies were attacked by Conti and affiliated ransomware group Hive in early 2022 within a number of days, highlighting the heightened risks which may be posed by the interconnectivity of Maritime sector organisations.

It is worth noting that Play ransomware is currently active against the Maritime sector and have to attacked and leaked data from Dutch Maritime firm Royal Dirkzwager as of March 30th 2022, while in January, Oslo-based DNV (one of the world’s largest Maritime organisations and major software supplier for ships) were also breached, meaning that current or potential supply chain partners may wish to take appropriate security precautions to protect their organisation.

Aviation

Observable ransomware trends for European Aviation organisations have been broadly similar through 2021, 2022 and 2023 so far.

In terms of specific threats to the sector, airline customer data and original equipment manufacturers (OEM) proprietary information are the prime assets targeted by attackers within Aviation. Fraudulent website impersonation, particularly of airlines companies, has also become a significant threat in 2022, while the number of ransomware attacks specifically affecting airports has also increased.

While scarcely targeted in 2021, attacker-reported ransomware incidents against European Aviation organisations increased by over 200% in 2022. Lockbit is marginally the most prevalent threat actor, along with a varied list of other groups similarly targeting the sector.

Aviation sub sectors

Aviation sub sectors affected by ransomware 2021-2023. The geo-political segment refers to attacks directly targeted at either Russian or Ukrainian Aviation organisations during the conflict.

Airlines experienced notable cyber attacks and data breaches in 2022, including TAP Portugal, SpiceJet and Pegasus, and Aviation technology firm Accelya who provide services to Delta, British Airways, JetBlue, United, Virgin Atlantic, American Airlines among others, also had sensitive data leaked by ransomware threat actors.

To illustrate the impact to the Aviation ‘Services’ subsector – Swissport International was affected by a ransomware attack that had a severe impact on its operations, causing flights to suffer delays. The ransomware group responsible (BlackCat) then followed through on their threats by leaking data which included sensitive documentation, tax declarations, images of passports and ID cards and the personal information of interviewees.

Road

The automotive industry, especially original equipment manufacturers (OEM) and tier-X suppliers, have been targeted by ransomware which has led to production disruptions in 2022. Data-related threats primarily targeting IT systems to acquire customer and employee data as well as proprietary information have also been common.

2021-sub-sectors-together
2021 sub sectors
2022 sub sectors

Road sector breakdown 2021 vs 2022. Interestingly for motor racing fans the company behind Silverstone, which falls outside usual categorisation, was also attacked in late 2022.

Explaining the sub sector breakdown in further detail:

  • Logistics – Road logistics, often standard freight trucks and smaller national sized companies, were heavily targeted in 2022, however, attack rates have lessened somewhat in 2022 – perhaps due to a lack of profitability for attackers as smaller companies may not be sufficiently lucrative targets (as we have seen with attack rate in Education and Construction).
  • Manufacturers – there is no record of Road transport manufacturers being targeted prior to 2022 and 2023, as lesser-known Road manufacturing  companies and high profile organisations such as Ferrari, Continental, Vauxhall have been increasingly attacked.
  • Transport Authorities – A number of regional Road authorities in Spain and Portugal were affected, however, as is the case with ransomware generally, public sector organisations are generally not frequently targeted (JUMPSEC data shows that <8% of total UK ransomware reports are public sector).
  • Geo-political attacks – While far less frequently targeted in geo-politically motivated attacks than Maritime or Rail for instance, there have been a number of transport sector attacks linked to hacktivism relating to the Ukraine war in 2022.

A final caveat is the degree to which many companies are intertwined with Road transport in term of logistics – for example companies with in-house logistics operations which are not considered transport organisations (e.g. a supermarket or food retailer may have its own logistics operations or be heavily dependent on a close partner, yet would not be considered transport).

As detailed in JUMSEC’s recent ransomware trends report, Retail & Wholesale Trade organisations are some of the most frequently targeted, and hypothetically most lucrative sectors to target from attackers perspective, owing to the high proportion of large sized victims (>€50m) within the sector.

Retail & Wholesale Trade organisations, and Transport & Logistics organisations, should therefore be vigilant in relation to potential risks posed by the organisations within their supply chain.

Across all transport related subsectors, larger, more cyber-mature businesses should treat their supply chain (of typically smaller, less mature businesses) as a part of their own organisation’s digital footprint and look to leverage their security resources to support and uplift the resilience of the entire supply chain – reducing the overall risk posed to their organisation in the process.

Conclusion

JUMPSEC’s data broadly aligns with ENISA’s observation that the transport sector generally does not appear to have been targeted more frequently than other sectors in recent months. However, as detailed above, markedly increased attack rates within ‘Transport’ sub sectors, particularly Maritime and Aviation, and a general trend toward the attack of organisations with a more elevated profile and size appear to have become increasingly common over time.

Threat actors often thrive on existing chaos and disruption. A final consideration for transport organisations will be how to approach the potential security risks that accompany increased interest in disruptive attacks, either from ecological hacktivists, state sponsored threat actors, or geo-politically motivated hacktivists who seek primarily to disrupt organisations, as well as the continued efforts of opportunistic ransomware groups attempting to capitalise on the significant scope for disruption which exists in the sector.

Profile-Pic-BW-cropped copy

Sean Moran

Sean is a researcher and writer with a keen interest in geopolitics and its impact on the cyber security industry.

Matt Lawrence Portrait

Matt Lawrence

Head of Defensive Security

As Head of Defensive Security at JUMPSEC, Matt is responsible for shaping and leading the defensive operations team for JUMPSEC.

×

Under attack? Call our 24/7 Incident Response Hotline now

Get in touch with an accredited Incident Response experts who can help you contain, recover and mitigate attacks.

0333 987 4048

For regular switchboard please
contact - 0333 939 8080