Port of San Diego Continues to Recover from Ransomware Attack
The Port of San Diego, which disclosed late last month that it had suffered from a ransomware attack on Sept. 25, continues to recover from the attack.
The port has continued to operate, but some computer and IT systems remained offline as of last week, according to The San Diego Union-Tribune. The port is working with state, local, regional, state and federal experts to restore its systems, the newspaper reports, and the FBI and Department of Homeland Security are part of the investigation.
While the port has not been totally crippled, the attack highlights the continuing threat of ransomware, especially since it came shortly after an attack struck the Port of Barcelona, as ZDNet reports. The attack also underscores the need for all state and local government organizations to take the necessary precautions to guard against and mitigate ransomware attacks.
MORE FROM STATETECH: Find out why proactive threat hunting appeals to state IT pros!
Port of San Diego Suffers a Cyberattack
The Port of San Diego disclosed on Sept. 27 that it has first reported an incident on Sept. 25 that disrupted the agency’s IT systems. The port noted that the issue is “mainly an administrative issue” and normal port operations were continuing as usual.
“The Port remains open, public safety operations are ongoing, and ships and boats continue to access the Bay without impacts from the cybersecurity incident,” Port of San Diego CEO Randa Coniglio said in a statement.
Coniglio noted that, while some of the port’s IT systems were compromised by the attack, port staff also “proactively shut down other systems out of an abundance of caution.”
The ransom note the port received requested payment in bitcoin, although the amount that was requested is not being disclosed. Park permits cannot be accepted online, and public records requests are taking longer to process, according to the Union-Tribune.
Why It’s Important to Guard Against Ransomware
It can take a long time to repair IT systems and computers infected by ransomware, and doing so sometimes requires manually disinfecting hard drives and reconfiguring systems.
“There is a lot of triage and analysis work you need to do in a recovery operation,” Stephen Cobb, a researcher with internet security software firm ESET, told the Union-Tribune. “It is a tedious process.”
Ransomware is spread not only via emails but in malware hidden in advertising, too. Attackers are also downloading kits that let them easily deploy ransomware, a practice known as Ransomware as a Service.
To help mitigate these risks, organizations should deploy a multilayered security program in order to prevent the intrusion of malware and allow for quick recovery in case an attack is not stopped, says Darius Goodall, director of product marketing at Barracuda Networks.
Goodall notes that, while detection and mitigation is key, there are instances when ransomware attacks succeed. That is why it is critical for organizations to back up their data.
“If data backup is not in place, there are a few steps one can take,” Goodall says. “First, find out what type of ransomware it is, e.g. encryption, screen-locking, etc. From there, you can see if you’re still able to access files, especially from another location, like a mobile device. If so, then the ransomware is likely fake.”
If the attack is encryption or screen-locking, IT administrators should disconnect from their network and use anti-malware or anti-virus software to clean the ransomware and use a data recovery tool to help find those deleted files that are often trashed once ransomware encrypts new copies, Goodall says.
“It’s critical for organizations to continually test backup and recovery processes while also backing up copies of data at multiple locations,” he adds. “This ensures data has a life somewhere else if compromised”
Like many other security pros, Goodall also strongly recommends never negotiating with hackers since there is no guarantee organizations will get their data back. He notes that this is “tough advice to follow when critical data is involved, but ultimately, the real challenge many organizations face is implementing the security measures necessary to prevent your organization from ever finding itself in the position in the first place.”
