Inside a ransomware attack on a small trucking company - FreightWaves

Inside a ransomware attack on a small trucking company
Manager describes how hackers breached computers and got into the transportation management system
Nate Tabak, Border and North America Correspondent Nate Tabak, Border and North America Correspondent Follow on TwitterTuesday, February 23, 20210 2,481 4 minutes read


George got the email a week after the ransomware attack on the small trucking and logistics company he manages. It contained screenshots from within the firm’s transportation management system, or TMS, the digital nerve center that orchestrates the movement of trucks and freight.

The hackers sent the screenshots among other stolen data. They aimed to pressure the 25-truck operation into paying a $300,000 ransom in exchange for a promise not to leak them.

The prospect of the leak worried George, but the revelation that hackers had accessed the TMS was especially troubling. Even though they appeared to do nothing beyond taking the screenshots, they were in a position to subvert trucking operations.

A graphic illustration of two trucks being unloaded and screen displaying "files encrypted' to illustrate an ransomware attack on a trucking company.
Ransomware attacks can cripple operations at trucking and logistics companies by encrypting the data of vital systems. Increasingly, hackers are stealing data, too. (Emily Ricks/FreightWaves)
“It was very alarming,” George said. “They could have cost that side of the business altogether. It’s scary to think about that.”

He suspects hackers accessed the TMS by harvesting the login credentials from the company computers. The carrier uses AscendTMS, a cloud-based system in widespread use in the industry and is accessible via the web.

“Often it’s the smallest carriers that have the weakest defenses, and they get breached,” said Tim James Higham, CEO of InMotion Global, which makes the TMS.


George is thinking a lot about what could have happened and what he could have done to prevent it. He agreed to share the story with FreightWaves on the condition that his real name and that of his company aren’t published, as well as its location.

Ransomware attack unthinkable for ‘a company like us’
The company, based in a town in the U.S., is among hundreds of thousands of small trucking companies that keep the supply chain going. George assumed the carrier wasn’t big enough to represent an attractive target to cybercriminals.

“Being a small company in a small town, you would have never thought a company like us would get targeted,” George said.

Unfortunately, George couldn’t have been more wrong. Despite high-profile ransomware attacks on large companies — such as the one on Forward Air — small businesses are the most common victims. Their systems generally are less well protected, and the disruption from a successful attack can make them all too willing to pay if it means the difference between staying in business and going under.

George’s company was targeted by a ransomware gang that uses a double-extortion tactic. They breach systems, steal data and then encrypt to maximize the potential disruption to operations. They demand ransom payments in exchange for unlocking the data and a promise never to post it. The more sophisticated groups often calculate the ransom based on looking at financial information and insurance coverage amounts.

This was a foreign world to George until a recent Monday morning, around 6 a.m. local time, when an employee reported having trouble using his computer.

“They had trucks they needed to unload and noticed things were not kosher,” George said.

George investigated. He initially thought a garden-variety virus had infected the computer.

But this was no ordinary virus.

Encrypted data – and a $300,000 ransom demand
The anti-virus software was disabled, and all of the files were encrypted. The same had happened to all the other computers left on over the weekend, as well as the server.

The hackers left notes in text files to begin the process of attempting to extort the carrier. It was a ransomware attack.

George called the company’s IT services provider, which handled the technical side of the response. The company had several things working in its favor. George hadn’t moved it to a digital dispatch system, and he also kept a manually updated spreadsheet of customers and loads. There was also the relatively recent backup of its systems.

“It set us back a couple of days, so it wasn’t crippling,” George said.

The company didn’t have a robust cyber insurance policy either. But through the insurer, it investigated the prospect of negotiating with the hackers.

George said he was told the ransom could potentially be negotiated down by around 40%. Paying simply wasn’t worth it.

“We could have replaced all of our systems and equipment for that amount,” he said.

But the hackers weren’t done. They’d soon send emails with samples of the data they’d stolen, with threats to leak it.

One of the reasons why double-extortion attacks have become so successful is that they don’t lean on just the disruption from the cyberattack. They leverage the threat of embarrassment and the fallout from the public disclosure of data on leak sites.


‘To see someone in the inside of your system, it’s very terrifying‘
But the company refused to pay. It simply wasn’t worth it. The hackers made good on the threat and posted an extensive amount of data to a leak site to the dark web. While not readily accessible to regular internet users, it’s out there.

George has been notifying all of the customers of the companies affected by the data theft, hoping that it won’t cost any business.

In the meantime, he and the company have been stepping up their cybersecurity efforts — by investing in more robust services from the IT provider and enhancing training.

“It’s revolutionized the way we do things in a very short period of time,” George said. “We’ve stepped up our game.”

George isn’t sure how the ransomware attack happened in the first place. He suspects it came from a phishing email.

While phishing e-mails do represent the single most common way ransomware attacks breach company systems, attacks come through a wide array of means, including unsecured servers and remote connection. Phishing emails also can be hard to detect, particularly when launched from other ransomware victims.

A month after the attack, George has resolved to do everything possible to prevent another one from happening. But he’s still shaken by it.

“Not having dealt with this before, to see someone in the inside of your system, it’s very terrifying,” George said.