Port of Seattle Hit by Rhysida Ransomware in August 2024 Cyber ​​Attack

In a targeted ransomware attack, the Port of Seattle, which operates the city’s seaport and Seattle-Tacoma International Airport, fell victim to the infamous Rhysida ransomware gang in August. The incident, which disrupted critical systems, was confirmed by the agency three weeks after the initial breach, which impacted several operations at the airport, including reservation systems and flight check-in.

Impact on operations and response

The Port of Seattle announced on August 24 that it had isolated certain critical systems to minimize damage caused by the attack. The precautionary measure resulted in service disruptions, particularly affecting passenger service at Seattle-Tacoma International Airport. Delays ranged from interrupted check-in processes to system outages that affected flight schedules.

Three weeks after the breach, the port officially confirmed that Rhysida, a criminal organization linked to ransomware attacks, was responsible for the attack. In a press release, they assured the public that there had been no unauthorized access since the initial attack, and stressed that it was still safe to travel through their facilities. The agency’s response included taking systems offline, which helped prevent further spread of the ransomware but caused temporary outages across a range of services, including baggage handling, check-in kiosks and passenger display boards. The attack also crippled the port’s website, Wi-Fi and mobile app services, such as the flySEA app and reserved parking systems.

Recovery attempts and non-compliance with ransom demands

Most of the affected systems were restored within a week of the attack, although some critical services, such as the Port of Seattle’s website and mobile app functionality, are still being worked on. Despite the extensive disruption, the Port of Seattle has taken a firm stance against paying the ransom demanded by the Rhysida gang. Executive Director Steve Metruck made it clear that the port has no intention of giving in to the cybercriminals’ demands, stating that paying the ransom would be inconsistent with the port’s values ​​and its responsibility to taxpayers.

The decision not to pay the ransom leaves open the possibility that stolen data could be published on the attackers’ dark web leak site. However, the port’s leadership has prioritized cybersecurity principles and the ethical stewardship of public funds over giving in to the criminals’ demands for a decryption key.

The Rising Threat of Rhysida and a Global Wave of Cybercrime

Rhysida is a relatively new player in the ransomware-as-a-service (RaaS) ecosystem, having first emerged in May 2023. Despite its recent arrival, the group has quickly made headlines by breaching high-profile targets such as the British Library and the Chilean military, positioning itself as a major cybercrime threat. In the US, the gang has been linked to attacks on healthcare institutions, as noted by the Department of Health and Human Services (HHS). Additionally, federal agencies such as CISA and the FBI have issued warnings about Rhysida’s aggressive tactics, targeting a wide range of industries.

Recent high-profile attacks include a breach at Sony subsidiary Insomniac Games, which exposed more than 1.6TB of sensitive data after the company refused to pay a $2 million ransom. Other victims include the city of Columbus, Ohio, and the Singing River Health System, which had to notify nearly 900,000 individuals that their data had been compromised in an attack in August 2023.

The Port of Seattle incident is a fresh reminder of Rhysida’s growing influence and the growing threat of ransomware across industries. As cybersecurity remains a top priority for both public and private institutions, incidents like this highlight the importance of robust security measures and the challenges posed by ransomware gangs like Rhysida.