Port of Seattle refuses to pay Rhysida ransom, warns of data leak

Avatar

The Port of Seattle refused to pay a ransom to cybercriminals that shut down the city’s airport and seaport over the Labor Day holiday, officials confirmed on Friday.

In a statement, they said the attack was launched by the Rhysida ransomware group — which is responsible for recent attacks on the city of Columbus, Ohio and several leading hospitals.  

The hackers “may respond by posting data they claim to have stolen on their darkweb site,” according to the Port, which manages the city’s airport. 

“Our investigation of what data the actor took is ongoing, but it does appear that some Port data was obtained by the actor in mid-to-late August,” they said. They did not say when they will know the contents of what was stolen but pledged to contact those affected — including about “employee or passenger personal information.”

Steve Metruck, executive director of the Port of Seattle, said they are making progress in restoring affected systems but “paying the criminal organization would not reflect Port values or our pledge to be a good steward of taxpayer dollars.” 

The preliminary investigation into the incident — which caused viral scenes of airport workers writing flight information on dry erase boards and airlines routing thousands of bags with pen and paper — confirmed the hackers were able to encrypt some systems and data.

At its peak, the encryptions and the resulting system disconnections took down port services like “baggage, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking.” 

“Our team was able to bring the majority of these systems back online within the week, though work to restore some systems like our external website and internal portals is ongoing,” they said. 

Throughout the attack, which they said started on August 24, port officials reiterated that it was safe to fly through the airport and that they were able to make due with pen, paper and other tools. 

They have not seen any new activity from the hackers since the initial attackbut “remain on heightened alert and are continuously monitoring our systems. 

Law enforcement agencies and cybersecurity experts were involved in the recovery process from the beginning, they said. 

Rhysida continues to be among the most damaging ransomware operations currently launching attacks. 

The group left the famed British Library disabled for weeks and in addition to its attacks on the governments of cities like Columbus and federal agencies in Kuwait, the group’s extortion of a Chicago children’s hospital and Christmas season attack on a global Christian charity have caused outrage.

NewsCybercrime
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

CyberSec Vietnam Conference 2024

Next Post

Tennessee school district loses $3.4 million to a fake curriculum vendor

Related Posts

Crypto Scam App Disguised as WalletConnect Steals $70K in Five-Month Campaign

Cybersecurity researchers have discovered a malicious Android app on the Google Play Store that enabled the threat actors behind it to steal approximately $70,000 in cryptocurrency from victims over a period of nearly five months. The dodgy app, identified by Check Point, masqueraded as the legitimate WalletConnect open-source protocol to trick unsuspecting users into downloading it. "Fake
Avatar
Read More