Breaking: Ransomware attack hits Massachusetts trucking company

A family-owned Massachusetts trucking company has fallen victim to a ransomware attack, according to a cybersecurity expert who alerted FreightWaves to the situation early Thursday.

A representative of Tom Berkowitz Trucking Inc. of Whitinsville, Massachusetts, confirmed the ransomware attack to FreightWaves but would not comment further.

The recycling company, which has been in operation since 1981, has 16 trucks and 13 drivers, according to the Federal Motor Carrier Safety Administration’s SAFER website.

So far, more than 781 megabytes of the company’s data has been released on the “clear web,” or publicly accessible web pages, according to Brett Callow, a spokesman with Emsisoft, an anti-malware firm.

He said Maze ransomware is behind the attack and the carrier’s system has been locked down since April 25. Maze is known to encrypt and release a carrier’s customer list, payroll information and financial information until the attacker’s demands have been met. The attacker then provides a decryption code — sometimes.

“Maze’s demands are going to be victim-specific,” Callow told FreightWaves. “They are not going to ask for more than what they believe the company will be willing and able to pay.”

During these types of attacks, Maze usually has had “access to the networks of these companies for quite some time,” he said.

“They’ve been able to look around for a company’s financial information, so they will have a fair idea of how much the company has and if the company has insurance,” Callow said. “They know what sort of demands they can reasonably make before they will decrypt the company’s data and destroy a copy of the data they’ve stolen.”

While many companies aren’t forthcoming when these types of ransomware attacks occur, Callow said it is important to report these incidents to the FBI and employ cybersecurity firms because stolen data can be used to attack other organizations, including through identity fraud and phishing attacks.

“These criminals can use the information they steal from one company to craft a convincing email to another company that is likely to open it, then their data has been compromised,” he said. “Generally, companies do not want to admit when these attacks happen, but if a customer’s information is stolen and posted on the web, they need to know about it so they can set up credit monitoring and be able to look out for spams and scams.”

The FBI does not support paying a ransom in response to an attack because it doesn’t guarantee an organization will get its data back, citing cases in which “organizations never received a decryption key after paying the ransom.”

“Paying a ransom also emboldens current cybercriminals to target more organizations and offers an incentive for other criminals to get involved in this type of illegal activity,” the FBI said on its website.

Around this time of year through the end of summer, there is typically an uptick in ransomware attacks, and the COVID-19 pandemic, which has many companies working remotely, could also increase attacks, Callow said.

“Attacks at this time of year are likely because people are on vacation and IT teams may not be as quick to respond to an attack as they otherwise would be or in a situation, like we have now,” he said. “The attacks can be sent in an email or they can be exposed through remote access, which are the two most common ways Maze uses to gain access to a company’s system.”

Maze hackers typically crawl around in a company’s network for weeks before posting a ransom amount the business must pay to have its data decrypted before it is released on public websites or on the dark web.

“If the company doesn’t pay, they will potentially try other ways,” Callow said. “A company’s data can be weaponized and used against them to destroy their reputation, to steal their business partners and customers, and it’s all to create additional leverage to get the company to pay.”

On their site, the cyber attackers — dubbed the Maze Team — has a press release section and is offering “exclusive discounts to help commercial organizations as much as possible” because of the global economic crisis stemming from the coronavirus pandemic.

“I suspect this means that because so many companies are struggling financially, they are not able to extract money as easily as they could in the past,” Callow said.

Less-than-truckload carrier A. Duie Pyle of West Chester, Pennsylvania, was a victim of a ransomware attack in June 2019. 

Peter Latta, chief executive of the carrier, said the company refused to pay the ransom and instead took the approach that “we were going to be very open and honest with our customers,” according to an interview with FreightWaves a few months after the attack.

“The FBI told us that nobody is immune from a ransomware attack,” Latta said. “It’s not a matter of if, it’s a matter of when.”

While Latta said the LTL carrier had to rebuild all of its applications from the ground up, it was worth it.

“Customers continued to support us even when our service wasn’t quite spot on, but it was pretty close,” he said.

Louisiana state websites and online services — including those of the Department of Transportation and Development (DOTD) and the Office of Motor Vehicles (OMV) — were taken down after a ransomware attack was discovered in November. Gov. John Bel Edwards tweeted at that time that the state did not pay a ransom and there was no “anticipated data loss” from the attack.

Callow said if trucking companies don’t have the resources in house to make sure their systems are secure from malware attacks, they should seek professional help.

“The message is prepare now or pay later,” Callow told FreightWaves. “Everyone will be targeted at some point.”

Read more articles by FreightWaves’ Clarissa Hawes