RansomHub Ransomware Attack on West Gulf Maritime Association

The West Gulf Maritime Association (WGMA), a pivotal non-profit organization in the Gulf Coast maritime industry, has recently fallen victim to a ransomware attack orchestrated by the cybercriminal group RansomHub. This incident has raised significant concerns about the security of critical infrastructure within the transportation sector.

About WGMA

Established in 1968 and headquartered in Houston, Texas, WGMA represents over 200 members, including steamship owners, operators, agents, stevedoring companies, and terminal operators across Texas ports and the Port of Lake Charles, Louisiana. The association plays a crucial role in labor relations, payroll services, training, and advocacy within the maritime sector. In 2022, WGMA processed nearly $400 million in payroll for over 8,000 longshore workers, highlighting its significant operational scale.

Attack Overview

RansomHub has claimed responsibility for the ransomware attack on WGMA via their dark web leak site. The attack has compromised WGMA's systems, potentially leading to operational disruptions and data breaches. The specific demands made by the attackers and the full extent of the damage remain undisclosed. WGMA is currently assessing the impact and formulating a response strategy to mitigate the effects of this malicious incident.

About RansomHub

RansomHub is a relatively new ransomware group believed to have roots in Russia. Operating as a Ransomware-as-a-Service (RaaS) group, RansomHub's affiliates receive 90% of the ransom money, with the remaining 10% going to the main group. The group has targeted various countries, including the US, Brazil, Indonesia, and Vietnam, without following a specific pattern. Their ransomware strains are written in Golang, a language choice that aligns with recent trends in the ransomware world.

Potential Vulnerabilities

WGMA's extensive involvement in payroll administration, labor relations, and training makes it a valuable target for ransomware groups. The association's role in processing significant financial transactions and maintaining sensitive labor-related data could have made it particularly vulnerable to cyberattacks. The use of electronic timesheets, direct deposit, and payroll tax reporting systems may have provided multiple entry points for the attackers.

Penetration Methods

While the exact method of penetration used by RansomHub remains unclear, common tactics include phishing emails, exploiting software vulnerabilities, and leveraging weak security protocols. Given RansomHub's sophisticated operations and the use of Golang for their ransomware strains, it is likely that a combination of these methods was employed to infiltrate WGMA's systems.

• West Gulf Maritime Association
• SOCRadar: Dark Web Profile - RansomHub
• Barracuda Blog: AI and Ransomware