Port of San Diego Ransomware Claim by SamSam (Sep 2018)

Claim Summary

The SamSam ransomware group has allegedly claimed responsibility for a cyberattack on the Port of San Diego, a major transportation and logistics hub in the United States. According to a post on the group’s leak site, the attack purportedly occurred on September 28, 2018. The group has not disclosed the volume or nature of the data allegedly exfiltrated, and no samples or proof of compromise have been provided at this time. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

SamSam is a ransomware group that has been active since at least 2015, primarily targeting organizations in the healthcare, government, and critical infrastructure sectors. The group is known for using a combination of custom tools and publicly available exploits to gain initial access, often through vulnerable Remote Desktop Protocol (RDP) connections or exploited vulnerabilities in JBoss servers. SamSam is distinct from many ransomware groups in that it does not typically operate a public leak site or engage in double extortion (encryption plus data theft). Instead, the group historically focused on encrypting systems and demanding ransom payments for decryption keys. The group’s total known victim count is unknown, and public research on SamSam is limited, making it difficult to assess their current operational capabilities or credibility. The group’s tactics, techniques, and procedures (TTPs) include manual deployment of ransomware, lateral movement via PowerShell, and use of tools like PsExec for propagation.

Alleged Data Exposure

The Port of San Diego claim does not include any specific details about the data allegedly compromised. The group has not provided file lists, data samples, or evidence of exfiltration. Given SamSam’s historical focus on encryption rather than data theft, this claim may be an attempt to pressure the victim into payment, or it could represent a shift in the group’s tactics. Without further information, the scope of any alleged data exposure remains unclear.

Potential Impact

If the claim is verified, the Port of San Diego could face significant operational disruptions, including delays in cargo processing, port security operations, and law enforcement activities (as the port includes a police department). The transportation and logistics sector is considered critical infrastructure, and a ransomware attack could have cascading effects on supply chains, maritime traffic, and regional commerce. Additionally, any compromise of sensitive data could lead to regulatory scrutiny under frameworks like the Maritime Transportation Security Act (MTSA) or state breach notification laws.

What to Watch For

• Official Confirmation: Monitor the Port of San Diego’s official communications for any acknowledgment of a security incident.
• Ransomware Indicators: Look for SamSam-specific indicators, such as file extensions (e.g., .samsam, .satan) or ransom notes demanding payment in Bitcoin.
• Detection Guidance: No YARA rules or specific detection guidance for SamSam are publicly available at this time. Organizations should review their RDP and JBoss server configurations and apply patches for known vulnerabilities.
• Third-Party Reports: Check for updates from cybersecurity vendors or government agencies (e.g., CISA) regarding the incident.

Disclaimer

This report is based on unverified claims made by the SamSam ransomware group on a leak site. Yazoul Security has not independently confirmed the validity of these claims, the extent of any data compromise, or the identity of the victim. Ransomware groups frequently exaggerate or fabricate claims to pressure victims. This information is provided for intelligence purposes only and should not be used as a basis for action without further verification.