LockBit ransomware attackers target Japan’s biggest port: but who’s next?

A Russian ransomware group brought Japan’s biggest port to a crushing halt on Tuesday morning. Nagoya Port Authority was just the latest to be hit by LockBit 3.0, raising concerns over what happens next.

The first sign of an attack was at 6.30am on Tuesday morning, when a port employee discovered his computer wasn’t working. Shortly afterwards, a printout appeared on a nearby printer declaring “LockBit” as the culprit.

Nagoya is Japan’s largest port, handling over 10,000 pieces of cargo every day. Toyota is one of its key customers, although a spokesperson said that “shipment of new cars has not been affected”.

The port claims it did not pay the ransom, but it took a team of 60 technicians until late on Thursday evening to work through the affected files. The port is now back up and running.

Who LockBit is targeting — and how to stop it

This attack highlights two consistent themes for LockBit. First, it focuses on G7 nations — which have united to freeze Russian assets since its invasion of Ukraine — and second it targets key parts of the Western economy.

This is the second time LockBit has attacked ports. The first came on Christmas day 2022, when it stole data from the Port of Lisbon.

Read how the world’s largest ports are using AI to keep the global supply chain humming

But it isn’t just port authorities who need to worry. “Industrial systems are attractive targets because the IT infrastructure is usually focussed on high availability rather than security,” said Simon Edwards, CEO and founder of SE Labs (and a board member of AMTSO).

“Many of these systems were built without an intention to connect to the internet. And then they were connected without sophisticated security plans in place.”

So how can organisations protect themselves? “Sometimes security measures in such SCADA [Supervisory Control and Data Acquisition] systems are available but not enabled by default,” Edwards explained.

“Industrial installations should review their equipment thoroughly and consider compartmentalising to allow only necessary internet access.”

Who will LockBit target next?

Although almost all the coverage of this latest LockBit attack points the finger at Russia, Edwards points out that “it’s actually impossible to accurately attribute cyber attacks”. Before adding: “At least through legal means.”

In LockBit’s case, the evidence appears compelling, with four years of attacks to draw upon. We are now dealing with LockBit 3.0 (or LockBit Black), as opposed to LockBit 2.0, which disbanded in 2022, and the original LockBit.

“The group, which has over 1,500 victim announcement records on the SOCRadar platform, broke the record in the first quarter of 2023 as the most active ransomware group by far, with over 300 announced victims,” stated SOCRadar.

It has crunched through the numbers and found that no industry is safe. Manufacturing is LockBit 3.0’s top target, but it has also hit education, legal services and health care sectors.

Nor are you protected if yours is a small business. The ransomware group attacks all sizes indiscriminately, so make sure you understand how ransomware attacks work. And put protective measures in place.