Analysis Summary

The US government organization in charge of managing Seattle's airport and seaport, Port of Seattle, announced on Friday that a cyberattack that had been affecting its systems for the previous three weeks was caused by the Rhysida ransomware gang.

On August 24, the organization disclosed that to mitigate the effects of the attack, it was necessary to isolate a few of its vital systems. As a result, Seattle-Tacoma International Airport experienced an IT failure that caused delays in aircraft schedules and reservation check-in systems. Three weeks after the initial announcement, the Port formally acknowledged recently that the August breach was a ransomware attack orchestrated by affiliates of the Rhysida ransomware.

The incident was a ransomware attack carried out by the Rhysida cybercriminal group. Since then, there hasn't been any further unlawful behavior on Port systems. Using the maritime facilities at the Port of Seattle and traveling from Seattle-Tacoma International Airport are still safe options. Numerous services and systems were affected, including baggage, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking. The outages were caused by the Port's decision to take systems offline and the ransomware gang's encryption of those that weren't isolated in time.

The press release reads, “Our investigation has determined that the unauthorized actor was able to gain access to certain parts of our computer systems and was able to encrypt access to some data.”

The Port is still working to restore additional important services, such as the Port of Seattle website, SEA Visitor Pass, TSA wait times, and flySEA app access (unless downloaded before the August ransomware attack), even though the majority of the impacted systems have already been restored within the last week. The Port also decided to reject the ransomware gang's requests to pay for a decryptor, even though it was anticipated that the attackers would post the data they had stolen sometime in mid-to-late August on their dark web leak site.

Emerging in May 2023, Rhysida is a relatively recent ransomware-as-a-service (RaaS) operation that achieved prominence rapidly after infiltrating the Chilean Army (Ejército de Chile) and the British Library. Rhysida has been connected by the US Department of Health and Human Services (HHS) to cyberattacks on healthcare facilities. The FBI and CISA issued warnings at the same time, claiming that the same cybercrime gang was also responsible for several opportunistic attacks that targeted victims in a variety of other industry sectors.

For example, Rhysida penetrated Insomniac Games, a Sony company, in November 2023 and released 1.67 TB of records onto the dark web in response to the studio's refusal to pay a $2 million ransom. The largest recreational boat and yacht retailer in the world, MarineMax, the City of Columbus, Ohio, and the Singing River Health System have all been compromised by its affiliates. The latter informed nearly 900,000 users that a Rhysida ransomware attack in August 2023 had stolen their data.

Impact

• Operational Disruption
• Financial Loss
• File Encryption

Remediation

• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Regularly change passwords for all accounts.
• Use strong, unique passwords for sensitive accounts.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.