Preventing malware and ransomware attacks
An international shipping company deploys automated endpoint security on ships with limited satellite connectivity
Aerial view of cargo ship on the ocean carrying containers

An international shipping company manages a large fleet of vessels that are often offline, or with limited satellite connectivity. The company, whose crew have access to the ships’ computers, sought a way to address malware and other security risks quickly, even when the ships are at sea with no connectivity, in order to prevent the loss of internal data.

The challenge:

  • Legacy solution failed to detect malware and ransomware multiple times.

  • Signatures for the legacy solution almost never updated, due to bandwidth and connectivity restrictions.

  • Unable to monitor 24x7 due to unavailability of internet connection.

  • No cybersecurity staff on board and crew not trained.

  • Unauthorized devices often plugged into ships’ computers.

Ships represent a unique environment, as they can be at sea for months at a time. Internet connectivity is intermittent, and often the bandwidth is limited and expensive. Crews often have no cybersecurity training and may end up bringing on board unsafe and insecure devices containing malware and ransomware. Due to established internal processes, it’s not possible to block external devices without creating other issues. Such devices are also essential to normal operations and could be replaced at a moment’s notice under a variety of contingencies. In the event of a malware or ransomware infection, response time is critical but real-time access is seldomly available because ships are often sailing in unfavorable conditions or isolated areas.

Enhanced security

 

Over the course of three months, the company used IBM Security® QRadar® EDR to prevent 24 ransomware attacks

Robust remediation

 

Avoided data loss by tracking and remediating dozens of other attacks
Detection and remediation

The solution:

  • Installed IBM Security QRadar EDR on all ship endpoints.

  • Low data usage allows ground crews to monitor ships in real time and respond when connections are available.

  • Automated response and remediation help remove threats while internet connection is not available.

After a series of ransomware attacks that created severe issues on ships, the shipping company asked IBM® to secure its infrastructure. An initial hygiene check showed a large number of ships already infected with a variety of malware, including RATs, Trojans and reverse shells. All identified infections were assessed and removed, and the IBM Security QRadar EDR software was then reconfigured to align with the specifications of the company: risk to  business continuity had to be minimized while ensuring no data loss when there was no internet connectivity. Data transfer also had to be minimized to avoid saturating the satellite connection essential to daily operations.

 

Hygiene check

After the initial deployment, QRadar EDR immediately flagged a variety of anomalous behaviors and quickly addressed and remediated them. The majority of malware had been brought on board by crews, while other instances originated in content downloaded from internet-connected endpoints. A threat hunting campaign was initiated and revealed a few “dormant” malware instances waiting for a remote operator to connect and take control. Those, too, were remediated, and an observation period of seven days followed. After confirming the absence of further anomalies, IBM reconfigured the platform to operate within the company’s parameters of optimal data usage and low risk of business disruption.

 

Day-to-day operations

To centralize ship management, IBM and the shipping company installed a security dashboard in the company’s main base. On the ships, where the on-board networks are unified and only a single endpoint has internet access, IBM created a secure channel to allow all endpoints, including crew devices, to deliver QRadar EDR data (and nothing else) to the main base, where a team of analysts monitors and responds to possible incidents.

When ships are scheduled to go offline, the shipping company enables QRadar EDR’s ransomware protection capability, as ransomware is the only malicious vector that could endanger the data. An infection by means of a RAT or Trojan would have had no immediate impact, due to the absence of connectivity. All other behaviors are monitored, with their tracking data archived locally, to be delivered immediately after an internet link is available again.
Preventing data loss

Over the next three months, the shipping company used QRadar EDR to prevent 24 ransomware attacks, track and remediate a few dozen different threats—mostly RATs—and prevent the loss of data. Without this solution, the ships’ operations would have been compromised, and critical data would have been made unavailable in less-than-ideal conditions for the crew, creating shipping delays and requiring costly emergency response operations.
About the international shipping company

The major international shipping company manages over 200 ships that transport goods around the world.
Solution component IBM Security® QRadar® EDR
Take the next step

To learn more about the IBM solutions featured in this story, please contact your IBM representative or IBM Business Partner.

 Read the PDF Subscribe to the IBM newsletter A major international airport

Hunting for malware inside an air-gapped network using IBM Security QRadar EDR

Read the case study Critical infrastructure

Tracking a highly sophisticated supply chain attack against a water management facility

 Read the case study
Legal

© Copyright IBM Corporation 2023. IBM Corporation, IBM Security, New Orchard Road, Armonk, NY 10504

Produced in the United States of America, July 2023.

IBM, the IBM logo, IBM Security, and QRadar are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on ibm.com/trademark.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

All client examples cited or described are presented as illustrations of the manner in which some clients have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations and conditions. Generally expected results cannot be provided as each client's results will depend entirely on the client's systems and services ordered. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

 Statement of Good Security Practices: No IT system or product should be considered completely secure, and no single product, service or security measure can be completely effective in preventing improper use or access.  IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.