Rhysida ransomware gang ships off Port of Seattle data for $6M

The trend of ransomware crews claiming to sell stolen data privately instead of leaking it online continues with Rhysida marketing the data allegedly belonging to Port of Seattle for 100 Bitcoin (around $5.9 million).

The Rhysida group, which readers may remember from The Register's reporting on the British Library attack last year, claims to have pinched more than 3 TB worth of data and exposed sample documents to "prove" it.

Seen amongst the data the crims say they stole from Port of Seattle were full names, social security numbers, dates of birth, home addresses, phone numbers, heights and weights, hair and eye colors, signatures, and passport scans.

Rhysida also claims it has the internal login credentials of the seaport agency's employees as well as a smorgasbord of other personal data on staff and civilians.

The group's decision to auction the data rather than leak it somewhat follows in the footsteps of the Meow group, which recently shifted focus to pure extortion and selling the data it steals.

RansomHub, the current leading ransomware group, also trialed this tactic when it hit auctioning giant Christie's, although this appears to have been a one-off rather than a full tactical shift towards auctioning data instead of leaking it.

Speaking to The Register last week, Sergey Shykevich, threat intelligence group manager at Check Point Research, expressed his doubt over the strategy and how lucrative it may be for cybercriminals.

"At this point, we are not sure at all that it is a profitable move rather than a PR/marketing-oriented one," he said. "It was likely done to differentiate themselves from other groups and apply more pressure on the victims to pay them.

"We doubt it is really profitable, as in many cases, the victims' information is sold, which is not extremely lucrative and not actionable to other threat actors."

The Port's side

The Port of Seattle – the local government office that oversees Seattle's seaport and airport – confirmed it was the victim of a ransomware attack in a refreshingly comprehensive incident update posted to its website on Friday.

In doing so, it also answered various other questions about the break-in, including a rare direct address regarding whether a ransom payment was made.

"Yes, this incident was a ransomware attack by the criminal organization known as Rhysida," the update reads. "The efforts our team took to stop the attack on August 24, 2024, appear to have been successful. There has been no new unauthorized activity on Port systems since that day. We remain on heightened alert and are continuously monitoring our systems.

"The Port has refused to pay the ransom demanded, and as a result, the actor may respond by posting data they claim to have stolen on their darkweb site."

• Five months after takedown, LockBit is a shadow of its former self
• Ransomware crews investing in custom data stealing malware
• British Library's candid ransomware comms driven by 'emotional intelligence'
• Yacht dealer to the stars attacked by Rhysida ransomware gang

Respond Rhysida did. Alongside the snippet of leaked documents containing various data points, it also shared what it alleges to be a screenshot of an email sent by the Port offering a $750,000 payment for the stolen data, but this contradicts the Port's statement on the matter.

The alleged offer of payment, which was significantly less valuable than the 100 Bitcoin price Rhysida publicly slapped on the dataset, might not have included payment for a decryptor, since the Port confirmed it was able to stop the attack and is currently in the process of restoring services.

Port of Seattle maintains that both the seaport and Seattle-Tacoma International Airport (SEA) are safe to use and travel from, although some services remain down and others are only restored in a temporary, workaround form.

"Our investigation has determined that the unauthorized actor was able to gain access to certain parts of our computer systems and was able to encrypt access to some data," it said.

"We took steps to block further activities including disconnecting our systems from the internet, but unfortunately, the encryption and our response actions hindered some Port services including baggage, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking. 

"Our team was able to bring the majority of these systems back online within the week, though work to restore some systems like our external website and internal portals is ongoing."

There is no estimated date for the full return to service – the priority is the safe and secure restoration of systems, no matter the time it takes – but the Port committed to continue providing regular updates.

This process will involve making improvements to its security posture, including the enhancement of existing controls and monitoring, and beefed-up identity management and authentication protocols. ®