Ransomware Attack Hits Carnival Cruise Corporation: What We Know

Published 20 - August - 2020
Source: secure World
Read full article

“Ransomware attackers are not interested in stealing assets and using them to cause damage, but in exploiting the value of the asset to its owner.” Steve Durbin, Managing Director, ISF

Talk about kicking someone, or some organization, when it’s down.

The Carnival Corporation, which has canceled cruises for months now as a result of COVID-19, says one of its cruise brands was hit with a ransomware cyberattack.

Carnival owns Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, P&O Cruises (Australia), Costa Cruises, AIDA Cruises, P&O Cruises (UK), and Cunard.

What do we know about the Carnival Cruises ransomware attack?

The cruise line did not specify which of its cruise brands was impacted.

Right now, everything we know comes from the company’s special filing with the U.S. Securities and Exchange Commission, notifying the SEC of the data breach.

  • Hackers encrypted some files.
  • Hackers exfiltrated (removed) some data.
  • Remediation is underway.

Here is Carnival Corporation’s ransomware and cyber incident statement, in full:

On August 15, 2020, Carnival Corporation and Carnival plc (together, the “Company,” “we,” “us,” or “our”) detected a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems. The unauthorized access also included the download of certain of our data files.

Promptly upon its detection of the security event, the Company launched an investigation and notified law enforcement, and engaged legal counsel and other incident response professionals.

While the investigation of the incident is ongoing, the Company has implemented a series of containment and remediation measures to address this situation and reinforce the security of its information technology systems. The Company is working with industry leading cybersecurity firms to immediately respond to the threat, defend the Company’s information technology systems, and conduct remediation.

Based on its preliminary assessment and on the information currently known (in particular, that the incident occurred in a portion of a brand’s information technology systems), the Company does not believe the incident will have a material impact on its business, operations or financial results.

Nonetheless, we expect that the security event included unauthorized access to personal data of guests and employees, which may result in potential claims from guests, employees, shareholders, or regulatory agencies. Although we believe that no other information technology systems of the other Company’s brands have been impacted by this incident based upon our investigation to date, there can be no assurance that other information technology systems of the other Company’s brands will not be adversely affected.

Ransomware attacks 2020: what do cybercrminals want?

Security researcher and pentester Vinny Troia tells SecureWorld that although some hackers love making headlines and the notoriety of it all, most have a very specific motivation for their attacks:

“Money, money. At the end of the day, it almost always comes back to money,” says Troia.

And Steve Durbin, managing director of the Information Security Forum, explains how ransomware attacks are being used to achieve this end:

“Ransomware attackers are not interested in stealing assets and using them to cause damage, but in exploiting the value of the asset to its owner.  When striking at organizations, attackers will target systems that are fundamental to business operations, some of which may be operating in an unprotected manner or which may have been unwittingly exposed during the COVID-19 response when workers were forced to access corporate systems from home.”

We’ve seen this repeatedly, where stolen data is used as leverage. Without a ransom payment, the attackers threaten to destroy or publish the data they downloaded during an attack.

Sometimes hackers have even used this stolen information to blackmail customers directly.

Was there a ransom demand in the Carnival attack? And if so, how much? This remains to be seen.