Ransomware hits Port of San Diego, disrupts services for days
Cybercriminals staged a successful ransomware attack against the Port of San Diego earlier this month, though critical operations were largely undisrupted. The attack infected several computer systems at the port, locking some employees out of their computers for days.
The attack was first reported as a nonspecific “cybersecurity incident” on September 25, 2018, but two days later, port CEO Randa Coniglio confirmed the disruption was caused by a ransomware infection.
The Port of San Diego oversees more than 34 miles of coastline along San Diego Bay, along with the nearly 3 million tons of cargo that travel through it every year. It’s one of the busiest shipping ports in the United States, which underscores the seriousness of any disruptive cyberattack on its systems.
What we know so far about the Port of San Diego ransomware attack
The Port of San Diego has been somewhat tight-lipped about the attack, but it appears that its IT teams worked quickly to contain the infection. Port representatives said that its most critical operations were able to continue, despite losing access to several systems.
CNET reported that the attack limited employees’ access to their computers, but that staff were mostly able to continue working. Several public-facing services were shut down, including services for obtaining park permits and public records, as well as other business services.
In a statement, Coniglio played down the impact of the incident, saying it was mostly an “administrative issue and normal port operations are continuing as usual.” Fortunately, the port was able to remain open with no impact on incoming and outgoing ships. Coniglio added: “The port remains open, public safety operations are ongoing, and ships and boats continue to access the bay without impacts from the cybersecurity incident.”
However, The San Diego Tribune reported that the attack disrupted law enforcement operations at the port, at least initially. The San Diego Harbor Police Department was impacted, but was reported to have used “alternative technology systems” to resume operations.
Unknown ransom demand
Port officials did not release many specifics about how the infection was delivered or what form it took on users’ computers. However, they confirmed that the attackers demanded a ransom, payable in bitcoin, to release a decryption key that would unlock the infected data – the hallmark of crypto-locking ransomware.
Officials were mum on the specifics of the ransom demand too, saying only that “the amount that was requested is not being disclosed.”
From a PR standpoint, this is a common strategy for minimizing the perceived seriousness of a negative event such as a ransomware attack. Reporting a high ransom demand, even if unpaid, can lead to more headlines and attract additional unfavorable attention. Similarly, a high ransom demand can also be the sign of a targeted attack, which authorities may not want to disclose until a full investigation can be completed (more on that point in a minute).
On the other hand, officials may have also decided to pay the ransom without saying how much – though there is no evidence that is what took place. Officials did not say whether or not the ransom demand was met, but from statements it appears that the incident was effectively resolved by its response teams.
Recovery team mobilization
From official statements and new reporting, it sounds like the Port of San Diego was well-prepared for responding to such an attack. The minimal impact on critical operations alone is a good sign that the port had emergency continuity procedures in place before the attack occurred.
Officials emphasized that they had recovery teams actively addressing the problem. One of the port’s first statements about the incident said: “The port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems. The team is currently determining the extent and timing of the incident and the amount of damage to information technology resources, and developing a plan for recovery.”
Authorities from several federal law enforcement agencies were reported to be investigating the attack, including the FBI, Department of Homeland Security and the U.S. Coast Guard.
Ransomware targeting the shipping & logistics industry
The shipping industry is just as vulnerable to a ransomware attack as other notable targets.
Just last year, Danish shipping giant Maersk announced it was one of the many victims of the global NotPetya ransomware attack. While the company initially said there was minimal impact on shipping operations, their story quickly changed. Two months later, the company revealed that the attack had cost more than $300 million.
The Los Angeles Times reported that Maersk’s shipping terminal operations were “snarled” worldwide and led to the shutdown of the largest cargo terminal at the Port of Los Angeles. The attack “forced workers to improvise with Twitter, WhatsApp and Post-It notes as they struggled to get goods moving from ships to shore again,” according to the Times.
The sheer importance of operations at a major U.S. port makes it a high-profile target. But also, it’s worth noting that ransomware usually isn’t very selective with who gets attacked. Most strains of the malware are designed to infect any computer system it can, usually via spam email and phishing attacks.
It’s unclear whether the attack on the Port of San Diego was targeted or random like most ransomware attacks. If the ransom demand was unusually high (most demands average around $1,000), then there’s a good chance the port was singled out by the attackers.
Not a new problem.
Regardless of whether the attack was targeted, the threat of ransomware should not come as a surprise to businesses that take cybersecurity seriously.
A year before the widespread attacks of WannaCry and NotPetya, ransomware was already well-known in the business community for its data destruction.
In the spring of 2016, the FBI warned that ransomware incidents were on the rise. In a statement, they named several industries and sectors that were particularly at risk, given the nature of their sensitive data: “hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses.”
And not going away, either.
The latest data shows that ransomware is on somewhat of a decline as hackers focus more energy into developing cryptojacking malware. But don’t celebrate just yet.
Cybersecurity experts have found that ransomware is getting sneakier and more sophisticated. Hackers are finding new ways to deliver the infections without user action. Instead, they’re exploiting system vulnerabilities and discreetly infecting ads on otherwise legitimate websites.
As for the costs of a successful attack, those aren’t getting any smaller either. While the ransom demands are often nominal (intentionally so, because it increases the chances of businesses paying up), the real costs add up during the downtime and recovery.
A SamSam ransomware attack earlier this year on Atlanta’s government systems cost the city as much as $17 million to fix.
What’s at stake and what could have gone wrong
Let’s return to the Port of San Diego for a moment to underscore just how bad the event could have been, if things had gone differently.
By all intents and purposes, it looks like the port was prepared. But what if it hadn’t been?
The Port of San Diego is not a government entity per se, but instead a medium-size public-benefit corporation. According to the LA Times, it has nearly 570 employees and “plays an integral role in public safety with its connection to the Harbor Police, and its operation of cargo and cruise terminals.” The company’s 34-mile long waterfront property spans five cities and leases property to 800 businesses. One of those tenants is General Dynamics-NASSCO, which builds and repairs American warships.
What if all 570 employees had been idled? What if all port operations had to be halted? How many businesses would have been affected? What would the costs have been? How might it have impacted our national security?
Case in point: a single ransomware attack can do a whole lot of damage when companies aren’t prepared, and this particular attack could have been a lot worse.
Preventing your own ransomware disaster
What’s the single most important step you can take to prevent ransomware from freezing your operations?
Back. Up. Everything.
A good data backup system will ensure you can roll back to a clean recovery point after an attack has occurred. This effectively removes the threat and eliminates the need to even consider paying the ransom.
With the Datto SIRIS, for example, you can back up all data—not just files, but applications and operating systems, including physical or virtual environments. For even faster recovery, you can boot those backups as virtual machines to continue running your applications, directly from the SIRIS or the Datto Cloud. Even better, there’s built-in ransomware protection that automatically detects the earliest signs of an infection and alerts administrators to take action.
As for avoiding an attack altogether, there are several steps to preventing an infection that we outline in our complete guide to ransomware. The two big ones are: 1) strong anti-malware software and 2) ongoing employee training. Since most ransomware infections occur due to phishing attacks and other human error, you can significantly curb your risk by training employees on best practices for email and Web.
For more information on how your company can defend against ransomware and other data threats, contact our business continuity experts at Invenio IT. Call us at (646) 395-1170, email [email protected] or request a free Datto demo today.