Cybercrime

Ransomware group releases screenshots in attempted extortion of Port of Seattle

The group known as Rhysida is demanding 100 bitcoin in ransom from the port and the Seattle-Tacoma International Airport.

By AJ Vicens

September 16, 2024

The Port of Seattle is viewed from the Bainbridge Island Ferry on November 4, 2015, in Seattle, Washington. (Photo by George Rose/Getty Images)

The cybercriminals responsible for the attempted extortion of the Port of Seattle posted on Monday a 100-bitcoin ransom demand and images of purported documents stolen from the organization.

The images include what appears to be a scanned U.S. passport, tax identification forms with Social Security numbers and other personal identifiable information. The group is also demanding 100 bitcoin — roughly $5.9 million as of Monday — and is threatening to sell the data if the port does not pay within seven days.

A spokesperson for the port could not immediately be reached for comment Monday, but in a statement issued Friday by the Port of Seattle and the Seattle-Tacoma International Airport, the organizations said they “refused to pay the ransom demanded, and as a result, the actor may respond by posting data they claim to have stolen on their darkweb site.”

It’s not clear how much data was stolen as part of the attack, or what kind of data is included. The port said the incident was the result of a ransomware attack associated with a group known as “Rhysida,” a ransomware-as-a-service operation that allows criminals to use the platform to extort victims, with proceeds ultimately split between the attacker and the developers and operators of the platform.

Rhysida’s platform has listed attacks on entities around the world, with the bulk being in the United States, according to eCrime.ch, a cybercrime research platform. The group’s site has listed nearly 150 victims since first emerging in June 2023.

“Our investigation of what data the actor took is ongoing, but it does appear that some Port data was obtained by the actor in mid-to-late August,” the organization said in the statement. “Assessment of the data taken is complex and takes time, but we are committed to these efforts and notifying potentially impacted stakeholders as appropriate. In particular, if we identify that the actor obtained employee or passenger personal information, we will carry out our responsibilities to inform them.”

The port first identified “system outages consistent with a cyberattack” on Aug. 24 and “worked to quickly isolate critical systems,” it said. The actions taken as part of the response and the encryption deployed by the attackers “hindered” some services, the port said, including baggage, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking.

“Our team was able to bring the majority of these systems back online within the week, though work to restore some systems like our external website and internal portals is ongoing,” the port said. Its main website remains offline.