Carnival Cruises hit with a costly ransomware attack

The company says in SEC filing it is preparing for potential claims from guests, employees, and shareholders based on the data accessed.

carnvistadub01.jpg

The new Carnival Vista, sailing on its maiden voyage, departs Dubrovnik, Croatia in May 2016.

Image: Andy Newman/Carnival Cruise Line

Ransomware attacks on high-profile companies are now a daily occurrence. In the last two weeks, major companies like Konica Minolta, Jack Daniels-making wine and spirits giant Brown-Forman, Canon and Garmin have either been hit by ransomware-specific attacks or revealed previous attacks. 

Cruise operator Carnival Corp is the latest to fall victim to ransomware-wielding bandits. David Bernstein, chief financial officer for Carnival, told the SEC in a regulatory filing on Monday that the company had suffered from an attack that involved files being stolen. 

The filing says that on Aug. 15 the company "detected a ransomware attack that accessed and encrypted a portion of one brands information technology systems. The unauthorized access also included the download of certain of our data files."

SEE: Ransomware: What IT pros need to know (free PDF)

Once security teams within Carnival discovered the attack, they called the police, started an investigation and "implemented a series of containment and remediation measures to address this situation and reinforce the security" of the information technology system. 

The filing adds that the company expects "the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders and regulatory agencies."

While the initial investigation indicates that the attack was contained to one brand's system, Bernstein wrote that "there can be no assurance that other information technology systems of the other company's brands will not be adversely affected."

Rise of ransomware-as-a-service

Terence Jackson, chief information security officer at Thycotic, told TechRepublic he has seen ransomware evolve over the years from something that required a fair amount of coding skill to a more simplified as-a-service offering.

Jackson noted that exploit kits can be bought online just like other commercial off-the-shelf software, leading to a rise in the number of attacks. 

Double financial hits from ransomware

Steve Durbin, managing director of the Information Security Forum, told TechRepublic that the age-old debate over whether to pay a ransom or not still rages on. But as more organizations bite the bullet and pay to get their data or systems back online, more cyberattackers will invest time and resources into ransomware tools. 

"An affected organization will have to face the potential of a double financial hit as it is forced to pay a large ransom to protect its people or resume normal operations, and then to retrospectively build in security," Durbin said.

"Ransomware attackers are not interested in stealing assets and using them to cause damage, but in exploiting the value of the asset to its owner.  When striking at organizations, attackers will target systems that are fundamental to business operations, some of which may be operating in an unprotected manner or which may have been unwittingly exposed during the COVID-19 response when workers were forced to access corporate systems from home."

That appeared to be the case with Carnival, which admitted the attackers went after the vital systems managing personal data of guests and employees. Durbin added that companies now need to plan for extended operational downtime in case of ransomware attacks and put contingencies in place.

Carnival has struggled during the coronavirus pandemic after a spring and summer season littered with headlines tying the virus to cruise ships. Bloomberg reported in April that dozens of people on Carnival cruises died of COVID-19 and more than 1,500 people fell ill with the virus. 

Some analysts suggested organizations look into cyber insurance as a way to hedge against the potential for a damaging attack. 

Caroline Thompson, head of underwriting at Cowbell Cyber, said a policy may have coverage and assistance for prior, during, and after a cyber incident. 

With ransomware, Thompson highlighted, the damage to an organization goes well beyond the need to pay the ransom if a readily available backup, which is the preferred solution, is not an option.  

"Business interruption, loss of revenue, and reputational damages are all financial burdens that cyber insurance can provide relief for," Thompson said.

Even if an organization has top notch cybersecurity and across-the-board buy-in from employees, it still may not be enough. One expert, Acceptto CEO Shahrokh Shahidzadeh, said attackers are able to leverage "the unparalleled availability of stolen/exposed credentials available courtesy of the numerous breaches that have been made visible in the press."

He said in relation to the usual phishing attempts, many attacks seem to be more successful when they take advantage of a valid digital credential before planting the ransomware. 

"Unfortunately, current binary approaches to authentication allow too many cybercriminals into networks, allowing them to effectively plant ransomware attacks," Shahidzadeh said. 

"The use of valid digital credentials which have been purchased on the dark web, or stolen out right in a breach, provides the best access for planting ransomware when a targeted organization doesn't have a continuous, behavior-based authentication solution which would catch the inappropriate use of that credential."

The increase in ransomware attacks was no surprise to Pravin Madhani, CEO and co-founder of K2 Cyber Security. Madhani noted that the easiest way for cyberattackers to get in is through simple, yet effective phishing campaigns. 

It's also possible, Madhani said, for ransomware to be deployed utilizing exploited vulnerabilities. He added that large organizations like Carnival that own multiple brands have to make sure their entire supply chain is protected. 

In addition to routine patching, basic staff education on phishing and defense for any internet-facing application, enterprises "need to make sure they vet the security of partners as thoroughly as they vet their own security infrastructure."

Updated August 20, 2020: A quote that originally appeared in this article was removed.

Also see