Port of San Diego Ransomware Attack: Aftermath of the Lowdown SamSam Malware
On September 25, 2018, the U.S. Port of San Diego suffered a severe cyber attack featuring the SamSam Ransomware. The infamous piece of malware, which had already infected more than 200 public and private organizations since December 2015, posed severe challenges to the Port's day-to-day operations. Nevertheless, those challenges did not cause the Port to shut down for a second. Nor did port officials pay the ransom, and recent updates have shown how they succeeded in keeping the ship afloat.
Table of Contents
Adequate Prevention is Essential
The Port of San Diego is a vital part of the U.S. maritime infrastructure because of its dual role. While it serves first and foremost commercial cargo and cruise ships, the port could also turn a military facility under the command of the Department of Defense if need be. That is why it is hardly a surprise that the port authorities had developed an electronic backup system by FBI's recommendations for dealing with ransomware threats before SamSam struck. It was that backup system that allowed port officials to restore the data lost to encryption without having to provide the demanded ransom amount.
In addition to the regular backups, there were a few more things employees did right to reduce the impact of the SamSam ransomware attack to a minimum. For a start, they made sure to:
- Shut down every computer in the network.
- Use replacement PCs, and alternative systems.
- Forbear from exchanging any email attachments whatsoever to contain the infection.
What is more, it appears that the SamSam Ransomware infection took place after the port authorities had launched a campaign aimed at enhancing the security of their network systems to make them proof against cyber attacks of any kind. Though unfinished at the time, the preparations they had started beforehand proved sufficient to withstand SamSam.
A Stroke of Luck
As it seems, the Port of San Diego’s governing commissioners did manage to weather the ransomware storm by making a series of right decisions along the way. However, their success is partly due to the SamSam ransomware itself and the malware actors behind it because they had focused on harvesting administrative rather than operating data. That is why the attack did not bring routine operations at the docks to a halt and only disrupted some public and business services for a short time instead. A different scenario of the attack could have had a different, much less favorable outcome.
Unprecedented Treasury and FBI Response
The widespread deployment of SamSam ransomware in attacks against hospitals, educational institutions, corporations, and key government bodies countrywide prompted the FBI to launch a criminal investigation of the nasty cryptovirus. Helped by the Department of Justice and the Treasury Department, the investigation traced the origin of the SamSam ransomware to an Iranian cybergang. That is the gang responsible for extorting bitcoin from SamSam victims. However, the gang reportedly relied on two individuals – Mohammad Ghorbaniyan and Ali Khorashadizadeh – to convert the amassed fortune of BTC to Iranian rials. According to the Treasury, the two ‘facilitators’ used two Bitcoin addresses to do the job, namely:
- address 1: 149w62rY42aZBox8fGcmqNsXUzSStKeq8C.
- address 2: 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V.
Over the last five years or so, Khorashadizadeh and Ghorbaniyan have exchanged 6 thousand BTC from the two addresses mentioned above alone. A particular part of the grad total originates from none other than the SamSam ransomware.
The concerted attack against the Port of San Diego and the favorable outcome, in the end, underlines the need for any organization to take proper precautions in the day-to-day fight against the cybercrime industry. For the latter shows no signs of slowing down any time soon.