Port of Seattle says August cyberattack was Rhysida ransomware

The Port of Seattle has confirmed that Rhysida ransomware was used in a cyberattack that took down key computer systems on August 24.

The US government agency that manages the Seattle-Tacoma International (SEA) airport and Seattle’s seaport and maritime operations has published details of its response to the cyberattack that crippled its baggage, check-in, reserved parking, and other online systems over the weeks since the attack.

“On August 24, 2024, the Port of Seattle identified system outages consistent with a cyberattack,” the agency said in a statement Monday. “This incident was a ‘ransomware’ attack by the criminal organization known as Rhysida.”

The agency said it has refused to pay an unspecified ransom amount demanded by the miscreants.

Operations restored with minimal damage

Upon investigating the system outages that occurred on August 24, the agency determined that an unauthorized actor was able to gain access to certain parts of its computer systems and encrypt access to some data.

In response, the agency disconnected systems from the internet. That, and the ransomware attack itself, affected Port services including baggage, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking.

The Port’s security team restored majority of the affected services within a week, with the exception of a few systems including its external websites and internal portals, it said.

“The efforts our team took to stop the attack on August 24, 2024, appear to have been successful,” the agency said. “There has been no new unauthorized activity on Port systems since that day. We remain on heightened alert and are continuously monitoring our systems.”

Rhysida ransom refused

Rhysida is a ransomware operation that operates a ransomware-as-a-service (RaaS) model, meaning its creator or owner makes it available to other cybercriminals for hire to deploy against desired targets, in exchange for a share of the ransom.

In this case, the cybercriminals are out of luck — and potentially those whose data the agency holds too: “The Port has refused to pay the ransom demanded, and as a result, the actor may respond by posting data they claim to have stolen on their dark web site,” the agency cautioned.

While the nature of the data compromised in the attack remain unclear, it could be of high value because of the business segment in which the agency operate. Moreover, the Port of Seattle is an avid adopter of automation and machine learning technologies, making it a lucrative data trove for attackers.

The Rhysida ransomware gang is infamous for targeting organizations operating critical systems for which they can’t afford downtime. The hacker group has, in the past, singled out healthcare systems including the Lurie Children’s Hospital and Prospect Medical Holdings. Most recently, it claimed the Singing River ransomware attack in September 2023, which snowballed into a massive data breach affecting close to one million patients by May 2024.

The group’s targets have also included educational institutions, manufacturing industry, and the Chilean army, according to a report by the HHS Health Sector Cybersecurity Coordination Center.