The Anubis Ransomware Attack on the Adriatic Port Authority

Cyber Threat Intelligence

11 Jun 2026

port, cyber, data breach, maritime

The Anubis Ransomware Attack on the Adriatic Port Authority

Introduction

A severe ransomware attack orchestrated by the Anubis ransomware group targeted the Adriatic Port Authority, crippling its operations and disrupting maritime logistics across the region. This cyberattack has raised significant concerns about the vulnerabilities in critical infrastructure. Considering ongoing global supply chain disruptions and the emergence of new threats in the maritime security domain, Resecurity forecasts an increase in malicious activity by nation-states, cyber-mercenaries, advanced cybercriminal and espionage groups. Ransomware attacks have repeatedly targeted port authorities and maritime operations across countries, causing widespread disruption and massive financial losses. Below are confirmed cybersecurity incidents:

Year	Target/Port	Attacker/Malware	Operational Impact	Financial Losses	Recovery Timeline
2017	Maersk (global)	NotPetya	Global IT/OT shutdown, cargo delays	$200–$300M	10 days–weeks
2018	Port of San Diego	Ryuk (suspected)	IT disruption, manual workarounds	Not disclosed	Days–weeks
2020	MSC Geneva	Ryuk (suspected)	Booking/cargo tracking disruption	Not disclosed	~1 week
2023	Port of Nagoya, Japan	LockBit 3.0	NUTS system down, cargo halted, Toyota affected	Significant	2–3 days for core ops
2023	Port of Lisbon, Portugal	LockBit	IT disruption	Not disclosed	Not specified
2026	Port of Vigo, Spain	Unknown ransomware	Digital systems down, manual cargo ops	Not disclosed	Ongoing/manual ops
2025	Port of Nagoya, Japan	LockBit	Temporary suspension	Not specified	Not specified
2025	Multiple ports (global)	RaaS/APT groups	Cargo paralysis, supply chain bottlenecks	Millions per incident	Varies

Cyber-attacks targeting port authorities have proven capable of causing disruptions and economic damage comparable to those inflicted by kinetic attacks. This equivalence was vividly illustrated during the Iran-Israel cyber conflict, particularly with the Israeli cyber operation against Iran’s Shahid Rajaee port in the past, and the Port of Nagoya ransomware attack which brought port operations to a standstill and mirrored the chaos of a physical strike.

Resecurity projects that cyberattacks against port authorities and maritime operators will intensify markedly from 2026 through 2030, fueled by persistent geopolitical tensions and the proliferation of local conflicts and wars. As digitalization and automation continue to transform the maritime sector, these organizations are increasingly exposed to sophisticated cyber threats orchestrated by both nation-state actors and organized cybercriminal groups. The strategic significance of maritime infrastructure—handling up to 90% of global trade—makes it a prime target for disruptive and espionage-driven cyber operations.

The maritime sector’s rapid digital transformation—integrating IoT, OT, and interconnected logistics platforms—has expanded the attack surface, making it easier for adversaries to exploit vulnerabilities. Supply chain attacks, ransomware, and hybrid warfare tactics such as GPS spoofing and AIS manipulation are increasingly prevalent, especially in regions affected by conflict. To increase awareness among security professionals, Resecurity is sharing a case study with an analysis of Anubis Ransomware affecting one of the major port authorities in the EU, highlighting an example of confirmed malicious cyber activity with kinetic effects.

What is Anubis Ransomware?

Anubis ransomware is a notorious malware strain known for its ability to encrypt victims' files and demand hefty ransoms in cryptocurrency for their release. Originating from a group of highly skilled threat actors, Anubis has been linked to several high-profile attacks targeting governments, corporations, and critical sectors worldwide. Its signature features include:

Data Encryption: Locking victims out of key systems and data.
Data Theft: Exfiltrating sensitive information before encryption to increase pressure on victims.
Double Extortion: Threatening to leak stolen data if ransom demands are not met.
Sophisticated Tactics: Leveraging advanced phishing, credential theft, and system vulnerabilities to infiltrate networks.

Anubis Ransomware is a highly adaptive, multi-stage threat targeting critical infrastructure, leveraging both technical exploits (notably VPN and web app vulnerabilities) and social engineering for initial access. Its attack chain features advanced defense evasion (QEMU VM abuse), credential theft, lateral movement, and double extortion, with a toolkit mapped to MITRE ATT&CK techniques.

While the broader ransomware ecosystem is shifting toward affiliate-driven Ransomware-as-a-Service (RaaS) models, Anubis exhibits characteristics consistent with this trend, including modular tooling and the use of initial access brokers. The group is distinct from the Android banking malware of the same name and is recognized for its technical sophistication and operational agility.

Anubis ransomware was present and actively promoted on the RAMP (Russian Anonymous Marketplace) cybercrime forum. Its operators publicly launched an affiliate program on RAMP in February 2025, using the forum to recruit partners and expand their RaaS (Ransomware-as-a-Service) operations. Operating under the aliases superSonic (on RAMP) and Anubis__media (on XSS and Exploit), the group runs highly flexible affiliate program with a robust monetization structure.

Rather than just standard double extortion, Anubis advertises multiple affiliate structures—offering an 80% cut for ransomware deployment, 60% for data extortion, and 50% for initial access brokers. Operating globally, Anubis has been linked to attacks on healthcare, construction, and engineering sectors in Australia, Canada, Peru, and the U.S.

In one of their postings on the Exploit Underground forum, the group stated that they prioritize stolen data for extortion. They informed their affiliates and future partners that they are willing to buy stolen data of 40 GB or more, that has not been previously published in open sources, from enterprises located in the US, Canada, the European Union, and Australia.

In addition, the group is actively sourcing compromised remote access to various enterprises worldwide, as they have highlighted, generating over 20 million USD in revenue. The group does not target victims based in the ex-USSR and BRICS countries.

The group also has an active X account, through which they amplify the most significant data breaches. Based on their profile information, Anubis has been active since at least December 2024.

Resecurity highlights that Anubis Ransomware is involved in mass exploitation of public-facing applications (T1190) leveraging account takeover (ATO), along with the use of N-day vulnerabilities or derivatives of existing CVEs, such as SonicWall VPNs (lacking MFA), SolarWinds Web Help Desk (CVE-2025-26399), Cisco SSL VPNs, and CitrixBleed2 (CVE-2025-5777). It is expected that the group will continue to expand its affiliate network and recruit new initial access brokers (IABs) for targeted network intrusions.

Details of the Adriatic Port Authority Attack

The attack on the Adriatic Port Authority was a targeted effort. However, nation-state actors can use similar TTPs to carry out similar attacks on ports, both for gray-zone operations and as part of broader conflict strategies. Here's a breakdown of how the attack unfolded:

Initial Breach:
Resecurity believes the attackers gained access via a spear-phishing email sent to employees, which contained a malicious attachment. Once opened, it installed the ransomware on the organization's network.
Lateral Movement:
After gaining entry, the attackers used privilege escalation techniques to move laterally across the network. They exploited unpatched vulnerabilities in the port authority’s IT infrastructure and gained control over critical systems.
Data Encryption and Exfiltration:
The ransomware had encrypted thousands of files, rendering port operations—including cargo tracking, shipping schedules, and customs processing—completely inaccessible. Additionally, sensitive data, such as contracts and employee records, was exfiltrated.
Ransom Demand:
The Anubis group reportedly demanded a ransom of 10 million USD in Bitcoin, threatening to release the stolen data on the dark web if payment was not made within seven days. A ransom note left behind emphasized the severe consequences of non-compliance.

Impact on Operations and Regional Trade

The attack caused widespread disruption to the Adriatic region's maritime trade and logistics industry. Key impacts included:

Port Shutdown: The Adriatic Port Authority was unable to process incoming and outgoing shipments, forcing vessels to reroute to alternative ports.
Economic Losses: The downtime resulted in millions of dollars in losses, with businesses relying on the port experiencing supply chains delays.
Reputational Damage: The breach undermined trust in the port authority's ability to secure its infrastructure.

Additionally, the attack highlighted how critical infrastructure—such as ports, airports, and power grids—remains a prime target for ransomware groups.

The attackers targeted employees of the company that manages the Port Authority, considering them the weakest link in the chain due to their privileged access to the production systems and applications.

An important area targeted by the attackers is safety plans and information about security operations. Such details may be extremely valuable to organized crime involved in smuggling, contraband, and insider recruitment.

Notably, in the case of the Anubis Ransomware, the attack did not require any specific targeting of OT infrastructure. The malicious activity was conducted strictly by exploiting IT system vulnerabilities (for e.g., insecure accounts managing Office 365 / Azure), but it resulted in effects within the cyber-physical domain.

It is expected that similar attack scenarios will be used to target port authorities and their supply chains, as IT systems in that segment are extremely outdated and lack cybersecurity maturity. Most ports remain underprepared for large-scale, systemic cyber incidents, amplifying the risk of catastrophic disruption.

Mitigation Efforts and Response

In the aftermath of the attack, the Adriatic Port Authority collaborated with cybersecurity firms and law enforcement agencies to mitigate the damage. Key steps included:

Incident Response:
The authority's IT team isolated affected systems to prevent further spread of the ransomware. External threat-hunting teams conducted a forensic investigation to identify the root cause.
Data Recovery:
Efforts were made to restore encrypted files using backup systems. However, the port authority’s reliance on outdated backup protocols slowed the speed of recovery.
Negotiations and Legal Considerations:
While authorities strongly advised against paying the ransom to discourage future attacks, reports suggest negotiations took place to buy additional time while recovery efforts continued.
Public Communication:
The Adriatic Port Authority issued statements to reassure partners and stakeholders that steps were being taken to restore full functionality.

Lessons Learned

The Anubis ransomware attack served as a wake-up call for organizations managing critical infrastructure. Key takeaways include:

Strengthen Cyber Defenses:
Ports and similar organizations must adopt zero-trust security models and enforce stricter access controls to prevent unauthorized access.
Regular Software Updates:
Many ransomware attacks exploit known vulnerabilities. Regularly patching systems is essential to minimize risks.
Employee Training:
Phishing remains one of the most common attack vectors. Frequent cybersecurity awareness training can reduce the likelihood of human error.
Robust Backup Strategies:
Organizations must ensure that their backup systems are both comprehensive and regularly tested to enable swift recovery during a cyber incident.
Collaboration with Cybersecurity Experts:
Partnering with specialized firms to conduct threat assessments and penetration testing can identify weak points before attackers do.

Conclusion

The Anubis ransomware attack on the Adriatic Port Authority underscores the growing threat posed by sophisticated cybercriminals targeting critical sectors. As the global economy becomes increasingly interconnected, it is imperative for governments and organizations to invest in robust cybersecurity measures to protect vital infrastructure from future attacks.

This incident serves as a stark reminder that no entity is immune to cyber threats, and proactive preparation is the best defense against the escalating ransomware epidemic. Ransomware is a serious escalating threat to port authorities and maritime operations. Real-world attacks have disrupted global shipping, exposed critical technical vulnerabilities, and caused significant financial and operational damage. The threat landscape is intensifying, with sophisticated ransomware groups targeting maritime infrastructure and supply chains, prompting urgent regulatory and cybersecurity responses.

Cybersecurity Recommendations for Port Authorities by Regulators

Port authorities are critical to global trade and are increasingly targeted by cyber threats due to their reliance on digital systems for operations. Regulatory bodies and industry organizations have issued several guidelines and recommendations to enhance cybersecurity in ports and port facilities. Below is a summary of key recommendations and frameworks:

1. International Maritime Organization (IMO) Guidelines

The IMO has issued guidelines on maritime cyber risk management, which are integrated into the International Safety Management (ISM) Code and Safety Management Systems (SMS). These guidelines emphasize:

Identifying and mitigating cyber risks in port operations.
Incorporating cyber risk management into existing safety and security frameworks.
Regularly updating risk assessments to address evolving threats .

2. U.S. Coast Guard (USCG) Regulations

The USCG has implemented cybersecurity requirements for facilities regulated under the Maritime Transportation Security Act (MTSA). Key directives include:

NVIC 05-17: Requires MTSA-regulated facilities to include cybersecurity in their facility security assessments and plans. This involves addressing vulnerabilities in both IT and operational technology (OT) systems .
Reporting cybersecurity incidents to the National Response Center.
Encouraging the adoption of the NIST Cybersecurity Framework (CSF) and NIST SP 800-82 for securing industrial control systems .

3. International Association of Ports and Harbors (IAPH) Cybersecurity Guidelines

The IAPH has developed a nine-point plan to address cyber risks in ports, which includes:

Reviewing existing IMO guidance on maritime cyber risk management.
Developing additional guidance tailored to port-specific risks.
Assessing the financial, commercial, and operational impact of cyberattacks .

4. European Union (EU) Cybersecurity Regulations

The EU has designated ports as Operators of Essential Services (OES) under the NIS Directive. Recommendations include:

Implementing good practices for cybersecurity in the maritime sector, as outlined by the European Union Agency for Cybersecurity (ENISA).
Ensuring compliance with Regulation (EC) No 725/2004, which mandates cybersecurity measures for port facilities .

5. U.S. Executive Orders and Federal Initiatives

Recent U.S. federal actions include:

An Executive Order granting the Coast Guard authority to address cybersecurity threats in ports.
Mandating maritime industry partners to report cyber incidents and threats to government agencies.
Establishing minimum cybersecurity requirements for U.S. ports .

6. Cybersecurity by Design for Port Digitization

Regulators and industry experts recommend making cybersecurity a mandatory design requirement for new or upgraded port systems. This includes:

Conditioning funding and regulatory approvals on compliance with cybersecurity standards.
Ensuring that cybersecurity is integrated into the design and procurement of digital systems .

7. Key Frameworks and Standards

Port authorities are encouraged to adopt widely recognized cybersecurity frameworks, including:

NIST Cybersecurity Framework (CSF): A comprehensive framework for managing cybersecurity risks.
NIST SP 800-82: Guidelines for securing industrial control systems.
ENISA Good Practices for Cybersecurity in the Maritime Sector: Specific recommendations for European ports .

Summary of Recommendations

Risk Assessments: Regularly assess and mitigate cyber risks in IT and OT systems.
Incident Reporting: Establish mandatory reporting of cybersecurity incidents to relevant authorities.
Framework Adoption: Implement frameworks like NIST CSF and ENISA guidelines.
Cybersecurity by Design: Integrate cybersecurity into the design of new port systems.
Training and Awareness: Conduct regular training for staff on cybersecurity best practices.
Collaboration: Work with regulators, industry partners, and international organizations to share threat intelligence and improve resilience.

By following these recommendations, port authorities can better protect their operations from cyber threats. Resecurity provides a comprehensive portfolio of cybersecurity solutions and services designed to protect these environments from emerging threats - please, contact us via contact@resecurity.com.