Dutch shipping giant Royal Dirkzwager confirms Play ransomware attack

Dutch maritime logistics company Royal Dirkzwager has confirmed that it was hit with ransomware from the Play group, the latest in a string of attacks targeting the shipping industry.

Company CEO Joan Blaas, who bought the company in October after it went bankrupt the month prior, told The Record the ransomware attack did not have an effect on operations but did involve the theft of data from servers that held a range of contracts and personal information.

“It has had a huge impact on our employees. Over the last year, because of the company’s bankruptcy, we had to let go of people and not everyone could stay. We had to move offices and now this. It's been a very difficult time,” he said.

Founded in 1872, Royal Dirkzwager provides information to more than 800 organizations in the maritime industry and registers more than 200,000 ship movements a year. Its systems allow ports to know when ships will arrive and what nautical services will be available when they make it to a port.

Blaas confirmed that the Dutch Data Protection Authority has been notified of the attack and said he is in negotiations with the cybercriminals.

The Play ransomware group added the company to its list of victims on Monday, according to cybersecurity expert Dominic Alvieri. The group first emerged in July 2022 targeting government entities in Latin America, according to Trend Micro, and most recently drew headlines for a damaging attack on the City of Oakland, which has spent weeks recovering from the incident.

The shipping industry has been a frequent target of ransomware actors in recent years. In January, about 1,000 vessels were affected by a ransomware attack against Oslo-based DNV.

DNV is the world’s largest classification society — an organization that manages the technical certifications for the construction and operation of ships and offshore structures. More than 13,175 vessels and mobile offshore units are currently serviced by DNV, which brought in over $2 billion in revenue in 2021.

The January 7 ransomware attack forced the company to shut down the IT servers connected to their ShipManager system.

In an update published on Wednesday, DNV said it had to rebuild the ShipManager server environment and noted that while users are back online, the work to resume the full scope of service is ongoing.

“The forensic investigation conducted by global IT security partners confirmed that no other parts of the DNV IT-infrastructure was affected as part of the attack. DNV user accounts, emails and all other services were not affected by the incident,” a spokesperson said.

They added that the Norwegian Police are investigating and the Norwegian National Security Authority, Data Protection Authority and the German Cyber Security Authority were notified of the incident.

Europe has seen a string of ransomware attacks on ports in the last few years, with the Port of Lisbon attacked by the LockBit ransomware group in January. Multiple ports in Belgium and the Netherlands reported issues after a cyberattack – with terminals operated by SEA-Tank, Oiltanking, and Evos in Antwerp, Ghent, Amsterdam, and Terneuzen all reporting issues related to their operational systems.

Oil companies Oiltanking and Mabanaft, both owned by German logistics conglomerate Marquard & Bahls, suffered a cyberattack that crippled their loading and unloading systems in February 2022. Oiltanking said it “declared force majeure” due to the attacks.

Logistics and freight forwarding giant Expeditors International similarly announced a cyberattack last year that crippled some of its operating systems and slowed their operations around the globe for months.