Anubis Ransomware Disrupts European Ports, ₹94 Crores Ransom Demanded

Post Views: 13

Threat intelligence firm Resecurity has disclosed that the Russian-language Anubis ransomware group infiltrated the IT infrastructure of an unidentified major European port authority located along the Adriatic coast, stealing confidential security documentation and demanding a $10 million Bitcoin payment following a disruption of customs operations and cargo management systems.

Incident Overview

The incident, detailed in a June 11, 2026, case study, highlights vulnerabilities in maritime infrastructure and the escalating threat of ransomware targeting critical logistics networks.

Details of the Breach

The breach began with a targeted spear-phishing campaign directed at port authority personnel, which delivered a malicious attachment capable of deploying the ransomware upon execution. Attackers then leveraged privilege escalation techniques to traverse the network, exploiting unpatched software flaws to access essential systems.

Impact of the Attack

Over thousands of files were encrypted, halting cargo tracking, shipping schedules, and customs processing. Sensitive data, including contracts and employee records, was exfiltrated prior to encryption, a common tactic to pressure victims into paying ransoms even when backups are available.

Attack Methodology

Initial Breach and Spear-Phishing

The attack started with a spear-phishing campaign targeting port authority staff. The malicious attachment exploited user trust to execute the ransomware payload, bypassing initial security measures.

Privilege Escalation and Network Traversal

Attackers used privilege escalation techniques to move laterally across the network. Unpatched software flaws, such as those in Office 365 and Azure accounts, were exploited to gain access to critical systems.

Group Operations

Anubis Ransomware-as-a-Service

Anubis, identified as a ransomware-as-a-service operation active since December 2024, operates through Russian-language cybercrime forums under multiple aliases. The group offers affiliates varying revenue shares for ransomware deployment, data extortion, and initial access provision.

Targeting Strategy

The group has targeted entities in Australia, Canada, Peru, and the U.S., avoiding jurisdictions with stricter law enforcement scrutiny. Resecurity attributes its attacks to vulnerabilities in internet-facing applications, including unsecured SonicWall VPNs, SolarWinds Web Help Desk (CVE-2025-26399), Cisco SSL VPNs, and CitrixBleed2 (CVE-2025-5777).

Broader Trends in Maritime Cyberattacks

The Adriatic incident aligns with a broader trend of ransomware attacks on maritime infrastructure. Notable examples include the 2017 NotPetya attack on Maersk, which caused $200–300 million in damages, and recent LockBit and Ryuk attacks on ports in Japan, the U.S., and Europe.

Historical Precedents

Resecurity warns that such attacks can create disruptions comparable to physical strikes, citing the 2020 Israeli cyber operation against Iran’s Shahid Rajaee port as a precedent. The firm predicts increased targeting of ports and shipping operators between 2026 and 2030 due to geopolitical tensions and the sector’s growing reliance on IoT, OT, and interconnected logistics systems.

Response and Recovery

Following the breach, the affected port authority collaborated with cybersecurity firms and law enforcement to isolate compromised systems and initiate forensic analysis. Recovery efforts were delayed by outdated backup procedures, though negotiations with attackers occurred to facilitate restoration.

Regulatory Measures

Regulatory bodies have since reinforced cybersecurity mandates for ports, including the International Maritime Organization’s integration of cyber risk management into safety protocols, the U.S. Coast Guard’s NVIC 05-17 requirements, and the EU’s NIS Directive classification of ports as critical infrastructure.

Cybersecurity Challenges in Port Operations

The case underscores the vulnerability of port operations to cyberattacks that exploit standard IT systems rather than specialized industrial controls. Resecurity emphasizes that many port authorities maintain outdated IT environments with insufficient security measures, leaving them exposed to increasingly organized ransomware groups.

Recommendations for Improvement

The report highlights the need for stricter cybersecurity integration in port digitization projects and adherence to frameworks such as NIST SP 800-82 for industrial control system protection.

Limitations and Verification

Resecurity’s findings are based on a case study and threat intelligence analysis, with the affected port’s identity, specific vulnerabilities, and ransom negotiation outcomes remaining unverified beyond the firm’s disclosures.