Cybercrime , Fraud Management & Cybercrime , Geo Focus: Brazil

Ransomware Crypto-Locks Port of San Diego IT Systems

Port Remains Open and Accessible to Ships, Officials Say
Ransomware Crypto-Locks Port of San Diego IT Systems
Port of San Diego. (Photo: Dale Frost, via Flickr/CC)

Several days after the Port of San Diego was hit by a crypto-locking ransomware attack, information security experts are continuing to respond to the incident and many port systems remain offline.

See Also: Gartner Guide for Digital Forensics and Incident Response

The attacker or group of hackers behind the attempted shakedown has also demanded a ransom, payable in bitcoin, in exchange for the promise of a decryption key, port officials say.

The port says that while IT systems have been disrupted, much of the port's business continues without interruption.

"It is important to note that this is mainly an administrative issue and normal port operations are continuing as usual," says Port of San Diego CEO Randa Coniglio in a statement. "The port remains open, public safety operations are ongoing, and ships and boats continue to access the bay without impacts from the cybersecurity incident."

The Port of San Diego - spanning the cities of Chula Vista, Coronado, Imperial Beach, National City and San Diego along the 34 miles of the San Diego Bay - is the fourth largest of California's 11 ports. It includes two maritime cargo terminals, two cruise ship terminals, 22 public parks, the Harbor Police Department and leases for hundreds of businesses, including 17 hotels, 74 restaurants and three retail centers, plus museums and bay tours.

Due to the ransomware outbreak, the port says it cannot issue park permits, respond to public records requests or provide other business services.

Coniglio says that while some systems were infected with ransomware, as the IT team began investigating, "out of an abundance of caution" they began proactively shutting down other systems, which helped blunt the ransomware outbreak.

Disaster Recovery Continues

The Port of San Diego says it's working with the FBI and the Department of Homeland Security to investigate, remains in close coordination with the U.S. Coast Guard, and notes that it immediately brought in a team of experts to assist.

"The port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems," Coniglio says. "The team is currently determining the extent and timing of the incident and the amount of damage to information technology resources, and developing a plan for recovery."

Ransom Demand, Payable in Bitcoin

"The port can also now confirm that the ransom note requested payment in bitcoin, although the amount that was requested is not being disclosed," Coniglio says. "As previously stated, the port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality."

The port first disclosed the attack on Wednesday, warning that it learned on Tuesday that its IT systems had suffered a "serious cybersecurity incident."

Target: Shipping Sector

The shipping sector has not been immune to ransomware attacks. Beginning on June 27, 2017, the ransomware campaign known as NotPetya - aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya, Diskcoder.C - began in Ukraine. But it spread to organizations in many other countries. One victim was Danish shipping giant A.P. Møller - Maersk, the world's biggest shipping firm, which had to reroute ships and was unable to dock or unload cargo ships in dozens of ports.

Maersk estimated that it would lose about $300 million because of the ransomware outbreak.

Earlier this year, meanwhile, state-owned Cosco, aka China Ocean Shipping Company, said that operations in the United States, Canada, Panama, Argentina, Brazil, Peru, Chile and Uruguay were interrupted. Cosco, however, said the ransomware outbreak did not interrupt its operations at the Port of Long Beach in California - the country's second busiest container port - where it operates a large container facility.

SamSam Attacks Continue

The Port of San Diego didn't immediately respond to a request for comment about which strain of ransomware had crypto-locked its systems or if it has considered paying the ransom (see Paying Ransoms: More Cons Than Pros).

Officials have promised to provide more information as their investigation continues.

But one likely culprit is the gang behind the SamSam ransomware, which has increasingly targeted its attacks against larger private-sector organizations with public sector operations.

In March, the city of Atlanta was hit by SamSam ransomware, leaving 8,000 city employees unable to use their PCs for several days and led to longer outages for residents who wanted to pay for parking tickets or report potholes online as the city's IT team continued to grapple with the incident (see Atlanta's Reported Ransomware Bill: Up to $17 Million).

Ransomware Remains Potent Threat

Security and law enforcement experts have been charting a shift by many criminals from running ransomware campaigns to infecting systems with cryptocurrency mining software, in what's known as cryptojacking or cryptomining attacks.

But the Port of San Diego ransomware outbreak is a reminder that crypto-locking malware remains a potent and still widespread threat.

"Broadly speaking, we've seen ransomware as one of the dominant forms of attack throughout the last year, though it's starting to slow down a little and lose something in terms of innovative attacks," Christopher Boyd, lead malware intelligence analyst at security firm Malwarebytes, told Information Security Media Group last week.

In a report issued last week, Europol - the EU's law enforcement intelligence agency - warned that "cryptomining malware is expected to become a regular, low-risk revenue stream for cybercriminals'" (see Cybercrime: 15 Top Threats and Trends).

But it also noted that "ransomware remains the key malware threat in both law enforcement and industry reporting," and that it expects that to continue.

What hasn't been changing, however, are names of the various ransomware strains being most used by attackers. "The most commonly reported ransomware families are Cerber, Cryptolocker, Crysis, Curve-Tor-Bitcoin Locker (CTB- Locker), Dharma and Locky," Europol says. "With the exception of Dharma, for which decryption keys are now available, all of these were reported in previous years."

The groups that continue to develop these strains of malware continue to issue newer versions that are designedt to evade more recent security defenses. For one recently released version of Dharma, for example, no free decryptor is available (see Scotland's Arran Brewery Slammed by Dharma Bip Ransomware).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.com, you agree to our use of cookies.