It’s been over three weeks since the still struggling Seattle-Tacoma International Airport was hit by a massive cyberattack on August 24th. Now, the Rhysida ransomware gang has come forward demanding 100 bitcoin to release its encrypted files. Will they pay?
The cybercriminal group posted the Port of Seattle (SEA), which oversee the Seattle Tacoma International Airport (Sea-Tac), on its dark leak site over the weekend.
The gang has ceremoniously given the Port a seven-day countdown to pay a 100 bitcoin ransom demand, the equivalent of about $5.82 million before it offers up the stolen data to other criminals.
The Washington State airport typically handles about 1400 flights a day between arrivals and departures, hosting major carriers such as Alaskan Airlines and Delta Air Lines and smaller carriers Frontier, Spirit, Sun Country, JetBlue, and International Airlines, which have been more severely affected by the outage.
SEA addressed the ransomware claim in an September 13th update posted on social media and on its interim Port of Seattle website.
“The Port has refused to pay the ransom demanded, and as a result, the actor may respond by posting data they claim to have stolen on their dark website,” SEA said about Rhysida's post on Friday.
The Port’s website, which has been down since the Sea-Tac ransomware attack, has been piggybacking off the Washington Ports official website until further notice.
Based on its investigation involving the FBI, Homeland Security, and the Transportation Security Administration (TSA), Port officials said the gang was “able to gain access to certain parts of our computer systems and was able to encrypt access to some data.’
Cybersecurity teams quickly disconnected SEA’s systems from the internet, but not before services such as airport baggage, check-in kiosks, ticketing, airport WiFi, passenger display boards, the flySEA, and reserve parking apps were knocked offline.
SeaTac was able to continue operating, at one point issuing handwritten boarding passes, but said most of the airport's customer services have been restored, leaving only internal portals still experiencing issues.
On Aug. 24, the Port of Seattle identified system outages consistent with a cyberattack. It was a fast-moving situation, and Port staff worked to quickly isolate critical systems. pic.twitter.com/MruG4jXXUc
undefined Seattle-Tacoma Intl. Airport (@flySEA) September 13, 2024
Port officials did acknowledge that sensitive information was accessed by the hackers in mid-to-late August, but also said they are still determining what that data was.
“In particular, if we identify that the actor obtained employee or passenger personal information, we will carry out our responsibilities to inform them,” officials said
A sample of alleged internal SEA documents appears to show copies of passports, schematics of the airport facilities, and employee tax documents containing names, addresses, social security numbers, and more.
Since the attack, SEA said it has stepped up by adding new security measures, including “strengthening our identity management and authentication protocols, as well as enhancing our monitoring.”
Who is Rhysida?
The Russian-affiliated Rhysida group has claimed more than 115 victims on its dark blog since its inception in May 2023.
The gang is known for going after “targets of opportunity” and has infiltrated various sectors including education, healthcare, manufacturing, and local governments, according to an updated US Defense Department profile on the gang from last November.
The group's namesake ransomware has been labeled as "unsophisticated" and is typically launched through phishing attacks or seeking vulnerabilities using Cobalt Strike pen-testing tools.
Last month the gang went after the Washington Times newspaper, offering to auction off the news organization's stolen data data for a mere 5 bitcoin.
In July, Rhysida successfully targeted the City of Columbus, Ohio, also triggering weeks-long outages of city services, the reconstruction of the city’s official website, and an investigation that is still ongoing.
Rhysida is said to operate as a ransomware-as-a-service (RaaS) outfit selling its crude hacking tools to other “criminal affiliates” for a cut of the profits, and often practices double extortion, where even after a victim has paid for a decryption key, the gang threatens to leak the stolen data unless it receives a second payout.
Earlier this year the gang claimed responsibility for breaching the UK’s national British Library, considered the world’s largest repository of historical knowledge, as well as the Anne & Robert H. Lurie Children’s Hospital in Chicago..
Your email address will not be published. Required fields are markedmarked