Thought Leadership

Ransomware Attacks Targeting Western European Oil Port Terminals

Client Updates

Issue in brief: The latest large-scale ransomware attack has targeted oil port terminal software in at least 17 ports in Western Europe, re-routing tankers and significantly disrupting supply chains.

Response in brief: Cyberattacks like these are increasing in frequency and sophistication. Companies in all industries need to assess their security programs, incident response plans, and business continuity plans to be prepared.

Rolling ransomware attacks affecting port terminals

Port facilities in Belgium, Germany, and the Netherlands recently reported large-scale cyberattacks that have disrupted operations at oil terminals, preventing tankers from delivering energy supplies throughout the region. The attacks reportedly began several days ago and have impacted at least 17 terminals, including those in Hamburg, Ghent, Antwerp-Zeebrugge, and Rotterdam. Although the full extent of the attacks is not yet known, reports indicate that ransomware attacks targeting the port terminals’ software have prevented them from processing barges, resulting in re-routing and congestion while preventing tankers from loading and unloading.

The attacks appear to have unfolded over several days and remain ongoing, though some reports indicate the situation has begun to improve. Certain companies have reported that the attacks began on January 29, 2022, and that some storage sites are continuing to operate at limited capacity. These incidents have impacted the supply of some oil products in Germany, especially in the key port of Hamburg.

Initial reports from Germany's security services identifies BlackCat ransomware as the tool responsible for disrupting the port terminals’ systems. BlackCat (also known as ALPHV) has quickly spread across the ransomware marketplace by offering high payouts to criminal affiliates who use the tool. It is a particularly sophisticated strain of ransomware that is easily customizable, making it difficult to shut down. Since emerging in December 2021, BlackCat ransomware has targeted a range of industries, including construction, insurance, and transport. The reported ransom demands are around $14 million, well above the average reported demand.

Critical infrastructure in the crosshairs

Unfortunately, cyberattacks like these are increasing in frequency and sophistication, and the industrial and manufacturing sectors are frequently targeted by criminal organizations seeking large payouts from companies that need to regain control of their systems quickly. These criminals know that the downtime caused by a ransomware attack not only costs the victim company money but also denies essential services to the public until the breach is resolved. And, because software like BlackCat makes it easy for threat actors to carry out these attacks without sophisticated knowledge or extensive resources, the problem is not going away any time soon.

Preparation is the best strategy for defense against ransomware

While no security is invulnerable, readiness and preparation are key to successfully responding to a ransomware attack. Organizations should consider the following when assessing their security and incident response posture:

Security Governance: Strengthen overall security posture and security governance, including following best practices around protective controls and vulnerability and access management, such as:

  • Implementing network segmentation between IT and OT networks and environments; changing OT hardware to read-only when possible; and isolate OT networks to the extent possible and practical
  • Requiring multi-factor authentication for all users
  • Having a strong password and credential storage policy
  • Enabling strong filters to prevent phishing emails from reaching end-users and filtering emails containing executable, batch, or other threating files or links
  • Ensuring up-to-date patching and software upgrades
  • Setting anti-virus/anti-malware programs to conduct regular scans
  • Utilizing endpoint detection tools across all systems to the extent possible
  • Verifying and validating back-up systems for all production servers and ensuring the back-up data is encrypted and isolated

Security and Network Monitoring: Organizations should actively monitor logs for suspicious activities like multiple login failures; password spray activity; unusual authentication requests; and evidence and artifacts from known threat actors.

Incident Response: Formalized internal and external incident response teams in place before an attack occurs is vital to minimize business disruptions, recover lost data, and prepare necessary disclosures to regulators. Likewise, advance preparation and training is key to an effective response. Experienced outside counsel can help you develop (and update) incident response and business continuity plans so recovery efforts proceed as quickly as possible when an attack occurs.

Vendor Management: Develop a process for assessing risk for third parties that have network access and develop requirements for compensating controls for identified vendor risks.

Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit

Related Professionals