The Anubis ransomware group breached the IT network of an unnamed port authority on the Adriatic coast, encrypting operational systems and stealing sensitive records in an attack that halted cargo tracking, shipping schedules and customs processing, according to a case study published by US-based threat intelligence firm Resecurity on June 11, 2026.
Resecurity has not disclosed the identity of the affected port authority, describing it only as “one of the major port authorities in the EU.” The firm says it is sharing the case to raise awareness among maritime and critical infrastructure security teams, given what it calls a wider pattern of intensifying ransomware activity against ports and shipping operators.
How the attack unfolded
According to Resecurity’s analysis, the attackers gained initial access through a spear-phishing email sent to port authority employees, carrying a malicious attachment that deployed the ransomware once opened. From there, the group used privilege escalation to move laterally across the network, exploiting unpatched vulnerabilities to reach critical systems.
Resecurity says thousands of files were encrypted, taking down cargo tracking, shipping schedules and customs processing, while contracts and employee records were exfiltrated before encryption, a tactic ransomware groups use to pressure victims into paying even if backups allow recovery. Anubis reportedly demanded 10 million dollars in Bitcoin, threatening to publish the stolen data on the dark web if payment was not made within seven days.
Read Full Report – The Anubis Ransomware Attack on the Adriatic Port Authority
Resecurity notes that the intrusion exploited only IT-side weaknesses, including insecure Office 365 and Azure accounts, without any deliberate targeting of operational technology systems that run physical port equipment. Even so, the firm says the attack produced effects in the cyber-physical domain, forcing manual workarounds and disrupting real-world cargo movement. The firm also flags that data the attackers accessed, including port safety plans and security operation details, could hold value for organised crime groups involved in smuggling or insider recruitment, beyond its use for extortion.
Who is Anubis
Resecurity describes Anubis as a ransomware-as-a-service operation active since at least December 2024, distinct from the unrelated Android banking malware of the same name. The group has operated on Russian-language cybercrime forums under the aliases superSonic on RAMP and Anubis__media on XSS and Exploit, and launched a formal affiliate recruitment program on RAMP in February 2025.
Per Resecurity, Anubis offers affiliates an 80 percent cut for ransomware deployment, 60 percent for data extortion without encryption, and 50 percent for initial access brokers who supply network footholds, a structure more flexible than the standard double-extortion model used by most ransomware crews. The group has claimed, in its own forum postings cited by Resecurity, to have generated more than 20 million dollars from selling compromised remote access to enterprises worldwide. That revenue figure is the group’s own claim and has not been independently verified.
Resecurity attributes known Anubis intrusions to exploitation of internet-facing applications and account takeover, often via known or recently disclosed vulnerabilities including SonicWall VPNs without multi-factor authentication, SolarWinds Web Help Desk (CVE-2025-26399), Cisco SSL VPNs and CitrixBleed2 (CVE-2025-5777). The firm says the group has targeted healthcare, construction and engineering organisations in Australia, Canada, Peru and the United States, while avoiding victims in former Soviet states and BRICS countries, a pattern common among Russian-speaking ransomware crews seeking to avoid scrutiny from local law enforcement.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
Part of a wider pattern
Resecurity’s report places the Adriatic incident alongside a string of ransomware attacks on ports over the past decade. The 2017 NotPetya attack on Maersk caused a global IT and OT shutdown with losses estimated between 200 and 300 million dollars and a recovery period of more than a week. Other cited incidents include suspected Ryuk attacks on the Port of San Diego in 2018 and on MSC Geneva in 2020, a LockBit 3.0 attack on the Port of Nagoya in Japan in 2023 that halted its cargo handling system and affected Toyota’s operations for two to three days, a LockBit attack on the Port of Lisbon in 2023, an unspecified ransomware incident at the Port of Vigo in Spain reported in 2026 that forced a shift to manual cargo operations, and a separate LockBit-linked disruption at Nagoya in 2025.
Resecurity argues that such attacks can produce disruption comparable to kinetic strikes, pointing to the reported Israeli cyber operation against Iran’s Shahid Rajaee port as an earlier example of cyberattacks causing port-wide paralysis. The firm forecasts that attacks on ports and maritime operators will intensify between 2026 and 2030, driven by ongoing geopolitical tensions and the sector’s growing reliance on IoT, OT and interconnected logistics platforms, alongside hybrid tactics such as GPS spoofing and AIS manipulation. Ports handle roughly 90 percent of global trade by volume, making them an attractive target for both financially motivated criminal groups and state-linked actors conducting disruptive or espionage operations.
Response and recovery
Resecurity says the affected port authority worked with external cybersecurity firms and law enforcement after the breach, isolating compromised systems and commissioning a forensic investigation into the intrusion. Recovery using backup systems was reportedly slowed by outdated backup protocols. While authorities advised against paying the ransom, the report says negotiations took place to buy time while recovery work continued, and the port authority issued public statements to reassure partners that it was restoring operations.
What regulators recommend
Several regulatory bodies have issued cybersecurity guidance for ports in recent years. The International Maritime Organization has built cyber risk management into the International Safety Management Code and ship and facility Safety Management Systems. In the United States, the Coast Guard’s NVIC 05-17 requires facilities regulated under the Maritime Transportation Security Act to address cyber risk in their security assessments and report incidents to the National Response Center, while recent executive action has given the Coast Guard expanded authority over port cybersecurity and mandated incident reporting. The International Association of Ports and Harbors has put forward a nine-point cybersecurity plan, and the European Union classifies ports as operators of essential services under the NIS Directive, with the EU’s cybersecurity agency, ENISA, publishing maritime-specific good practice guidance. Industry bodies also point port operators toward the NIST Cybersecurity Framework and NIST SP 800-82 for securing industrial control systems, and are pushing for cybersecurity to be a mandatory design requirement, rather than an afterthought, in new port digitisation projects.
Why it matters
The case underscores a recurring weakness in port cybersecurity: attackers do not need to breach operational technology to cause physical disruption. Compromising ordinary IT accounts and cloud services was enough to take cargo tracking, scheduling and customs systems offline at the Adriatic port authority. Resecurity’s broader point is that most port operators still run outdated IT systems with limited cybersecurity maturity, leaving them ill-prepared for ransomware groups that are growing more organised, better funded through affiliate programs, and increasingly willing to combine encryption with data theft for double extortion.
This report is based on a case study and threat intelligence published by Resecurity. The exact identity of the affected port authority, the specific vulnerabilities exploited for lateral movement, and the outcome of any ransom negotiation have not been independently confirmed beyond what Resecurity has disclosed.
