Rhysida Ransomware Gang Behind Port of Seattle Attack

Date:

September 16, 2024

World map

The Port of Seattle confirmed that a cyberattack impacting its systems over three weeks was orchestrated by the Rhysida ransomware group.  

The attack, first disclosed on August 24, forced the Port to isolate critical systems, causing IT outages that disrupted flight reservations and delayed operations at Seattle-Tacoma International Airport (SEA).  

The attack encrypted data across several systems, affecting baggage handling, check-in kiosks, Wi-Fi, passenger displays, and the Port's website, Bleeping Computer reports.

Although most affected systems were restored within a week, some key services, like the Port’s website and the SEA Visitor Pass, remain under restoration. Despite these disruptions, the Port confirmed that it is still safe to travel through SEA and use maritime facilities.

The Port also decided against paying the ransom, with Executive Director Steve Metruck stating that paying the attackers would go against the Port’s values and misuse taxpayer money.  

There is concern that stolen data may be published on the dark web. The Port emphasized that no further unauthorized activity has occurred since the attack, and investigations are ongoing.

Takeaway:  Rhysida is a Ransomware-as-a-Service (RaaS) operation that was first detected in May 2023 and quickly escalated into a major threat by early 2024.

The group claims to act as a "cybersecurity team" conducting unauthorized "penetration testing" to help organizations identify vulnerabilities in their networks. After carrying out these attacks, they demand ransom payments as compensation for their so-called services.

Rhysida has been linked to several high-profile attacks, including those on the Chilean military, the British Library, and Prospect Medical Holdings. The attack on Prospect Medical Holdings severely disrupted the operations of hundreds of clinics and hospitals throughout the United States.

Rhysida uses advanced tactics to infiltrate networks, such as exploiting VPN vulnerabilities and leveraging security flaws like Zerologon (CVE-2020-1472). Their operations follow a double extortion model, where they steal sensitive data and threaten to leak it if ransom demands are not met. The group hosts a leak site and a victim support portal on the Tor network, where they handle negotiations.

Some of Rhysida’s techniques include bypassing antivirus protections, deleting Volume Shadow Copies (VSS) to block data recovery, and altering Remote Desktop Protocol (RDP) settings to maintain ongoing access. They rely on tools like Cobalt Strike for command-and-control, PSExec for lateral network movement, and PowerShell scripts to deploy their ransomware.

Rhysida encrypts files using AES-CTR and manages encryption keys with a 4096-bit RSA key. Initially focusing on Windows systems, the group has recently expanded to target Linux, especially VMware ESXi servers. Their methods closely resemble those of the Vice Society group, suggesting a possible connection or shared approach.

In February 2024, researchers released a decryptor that temporarily halted Rhysida's activities, but the group quickly adapted and resumed attacks. Although they experienced a resurgence in mid-2024, their attack volume remains smaller than that of other leading ransomware groups.

Rhysida operates opportunistically, with ransom demands typically made in Bitcoin. These demands range from 15 BTC (around $775,000) to 60 BTC (approximately $3.7 million) in recent incidents.

Other notable victims include MarineMax, Lurie Children’s Hospital, Pierce College, Ejercito de Chile, Axity, the Ministry of Finance in Kuwait, Prince George’s County Public Schools, and various local governments such as the Ayuntamiento de Arganda City Council and Comune di Ferrara.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.