RansomHub Ransomware Hits West Gulf Maritime Association
Incident Date:
July 31, 2024
Overview
Title
RansomHub Ransomware Hits West Gulf Maritime Association
Victim
West Gulf Maritime Association (WGMA)
Attacker
Ransomhub
Location
First Reported
July 31, 2024
RansomHub Ransomware Attack on West Gulf Maritime Association
The West Gulf Maritime Association (WGMA), a pivotal non-profit organization in the Gulf Coast maritime industry, has recently fallen victim to a ransomware attack orchestrated by the cybercriminal group RansomHub. This incident has raised significant concerns about the security of critical infrastructure within the transportation sector.
About WGMA
Established in 1968 and headquartered in Houston, Texas, WGMA represents over 200 members, including steamship owners, operators, agents, stevedoring companies, and terminal operators across Texas ports and the Port of Lake Charles, Louisiana. The association plays a crucial role in labor relations, payroll services, training, and advocacy within the maritime sector. In 2022, WGMA processed nearly $400 million in payroll for over 8,000 longshore workers, highlighting its significant operational scale.
Attack Overview
RansomHub has claimed responsibility for the ransomware attack on WGMA via their dark web leak site. The attack has compromised WGMA's systems, potentially leading to operational disruptions and data breaches. The specific demands made by the attackers and the full extent of the damage remain undisclosed. WGMA is currently assessing the impact and formulating a response strategy to mitigate the effects of this malicious incident.
About RansomHub
RansomHub is a relatively new ransomware group believed to have roots in Russia. Operating as a Ransomware-as-a-Service (RaaS) group, RansomHub's affiliates receive 90% of the ransom money, with the remaining 10% going to the main group. The group has targeted various countries, including the US, Brazil, Indonesia, and Vietnam, without following a specific pattern. Their ransomware strains are written in Golang, a language choice that aligns with recent trends in the ransomware world.
Potential Vulnerabilities
WGMA's extensive involvement in payroll administration, labor relations, and training makes it a valuable target for ransomware groups. The association's role in processing significant financial transactions and maintaining sensitive labor-related data could have made it particularly vulnerable to cyberattacks. The use of electronic timesheets, direct deposit, and payroll tax reporting systems may have provided multiple entry points for the attackers.
Penetration Methods
While the exact method of penetration used by RansomHub remains unclear, common tactics include phishing emails, exploiting software vulnerabilities, and leveraging weak security protocols. Given RansomHub's sophisticated operations and the use of Golang for their ransomware strains, it is likely that a combination of these methods was employed to infiltrate WGMA's systems.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.