Port of Seattle Struck by Rhysida Ransomware in August 2024 Cyberattack
In a targeted ransomware attack, the Port of Seattle, which manages the city’s seaport and Seattle-Tacoma International Airport, fell victim to the notorious Rhysida ransomware gang in August. The incident, which disrupted critical systems, was confirmed by the agency three weeks after the initial breach, affecting various operations at the airport, including reservation systems and flight check-ins.
Table of Contents
Impact on Operations and Response
The Port of Seattle disclosed on August 24 that it had isolated certain essential systems to minimize the damage caused by the attack. This precautionary measure led to service disruptions, which notably impacted passenger services at Seattle-Tacoma International Airport. The delays ranged from interrupted check-in processes to system outages affecting flight schedules.
Three weeks after the breach, the Port officially confirmed that Rhysida, a criminal organization involved in ransomware attacks, was responsible for the attack. In a press release, they assured the public that no unauthorized access had occurred since the initial attack, emphasizing that it remained safe to travel through their facilities. The agency’s response included taking systems offline, which helped to prevent further spread of the ransomware but caused temporary outages across a range of services, including baggage handling, check-in kiosks, and passenger display boards. The attack also crippled the Port’s website, Wi-Fi, and mobile app services like the flySEA app and reserved parking systems.
Recovery Efforts and Non-Compliance with Ransom Demands
Most of the affected systems were restored within a week of the attack, though some critical services, like the Port of Seattle website and mobile app functionalities, are still being worked on. Despite the extensive disruption, the Port of Seattle took a firm stance against paying the ransom demanded by the Rhysida gang. Executive Director Steve Metruck made it clear that the Port has no intention of giving in to the cybercriminals’ demands, stating that paying the ransom would go against the Port’s values and its responsibility to taxpayers.
The decision not to pay the ransom leaves the possibility of stolen data being published on the attackers' dark web leak site. The Port’s leadership, however, has prioritized cybersecurity principles and the ethical management of public funds over succumbing to the criminals’ demands for a decryption key.
Rhysida’s Rising Threat and A Global Cybercrime Wave
Rhysida is a relatively new player in the ransomware-as-a-service (RaaS) ecosystem, first emerging in May 2023. Despite its recent arrival, the group has quickly made headlines by breaching high-profile targets like the British Library and the Chilean Army, positioning itself as a significant cybercrime threat. In the U.S., the gang has been linked to attacks on healthcare organizations, as noted by the Department of Health and Human Services (HHS). Furthermore, federal agencies like CISA and the FBI have issued warnings about Rhysida's aggressive tactics, targeting a wide range of sectors.
Recent high-profile attacks include a breach at Sony subsidiary Insomniac Games, where over 1.6 TB of sensitive data was leaked after the company refused to pay a $2 million ransom. Other victims include the City of Columbus, Ohio, and the Singing River Health System, which was forced to notify nearly 900,000 individuals that their data had been compromised during an August 2023 attack.
The Port of Seattle incident serves as another reminder of Rhysida's increasing influence and the growing threat of ransomware across various industries. As cybersecurity remains a top concern for public and private institutions alike, incidents like this highlight the importance of robust security measures and the challenges posed by ransomware gangs like Rhysida.