Anubis Ransomware Hits Adriatic Port, Stealing Port Safety Plans in $10M Extortion Attempt

Executive Summary

A ransomware attack targeting a major port authority on the Adriatic Sea has exposed the severe and converging risks of cyber and physical threats in the maritime sector. The attack, claimed by the Anubis ransomware group, not only crippled port operations and led to a $10 million ransom demand but also resulted in the exfiltration of highly sensitive documents. According to analysis by Resecurity, the stolen data included port safety plans and details of security operations. This type of information is a goldmine for organized crime, potentially enabling smuggling, theft, or even terrorist activities. The incident, which originated from a simple spear-phishing email, demonstrates how a single cyber intrusion can compromise the physical security and integrity of critical national infrastructure.

Threat Overview

The attack was initiated on December 11, 2025, and publicly claimed by the Anubis ransomware group in January 2026. Anubis operates a ransomware-as-a-service (RaaS) model and should not be confused with the older Android malware of the same name. The attack had several components:

Operational Disruption: The ransomware deployment crippled the port's IT systems, forcing vessels to be rerouted.
Extortion: The group demanded a $10 million ransom in Bitcoin.
Data Exfiltration: The attackers stole a significant amount of data. While the port authority claimed only 2% of its data was lost due to backups, the type of data stolen is the primary concern. This included contracts, employee records, and, most critically, port safety and security operations plans.

Technical Analysis

Resecurity's investigation revealed a classic attack chain that bypassed the need to directly target hardened Operational Technology (OT) systems.

Initial Access: The attackers used T1566.002 - Spearphishing Link to target staff at the company managing the port. A malicious link in an email likely led to credential harvesting.
Lateral Movement & Privilege Escalation: With valid credentials, the attackers moved laterally from the initial point of compromise. They discovered and abused insecurely configured cloud accounts for Microsoft 365 and Azure, escalating their privileges within the cloud and hybrid environment (T1078.004 - Cloud Accounts).
Collection & Impact: From their privileged position in the cloud, the attackers were able to access and exfiltrate sensitive files stored in SharePoint or other cloud repositories (T1530 - Data from Cloud Storage Object). They then deployed the ransomware payload across the accessible IT network (T1486 - Data Encrypted for Impact).

This 'cloud-first' compromise path highlights a modern attack vector where threat actors can cause massive disruption without ever touching an OT network directly.

Impact Assessment

The impact of this attack extends far beyond financial loss or operational downtime. The theft of port safety and security plans represents a catastrophic failure of information security with direct physical world consequences. This information is invaluable to:

Smugglers: Knowing security patrol routes, camera blind spots, and cargo inspection procedures can facilitate illicit trade.
Organized Crime: Groups can use this information to plan cargo theft or recruit insiders by identifying and blackmailing key personnel whose data was also stolen.
Terrorists: Detailed security plans could be used to plan a physical attack on the port, which is critical infrastructure.

This incident is a textbook example of how cyberattacks can serve as a precursor or enabler for physical crimes and threats to national security. The $10 million ransom demand is almost secondary to the value of the exfiltrated intelligence.

Detection & Response

Email Security: Use advanced email security gateways to block spear-phishing attempts. This includes link protection and attachment sandboxing (D3-ITF - Inbound Traffic Filtering).
Cloud Security Posture Management (CSPM): Continuously scan cloud environments (Azure, M365) for misconfigurations, public-facing storage, and overly permissive IAM roles. Alert on any unauthorized changes.
Identity Threat Detection and Response (ITDR): Monitor for anomalous login activities, such as logins from unusual locations or impossible travel scenarios, and MFA fatigue attacks (D3-UGLPA - User Geolocation Logon Pattern Analysis).

Mitigation

User Training: Train employees to recognize and report phishing emails. This is a critical first line of defense (M1017 - User Training).
Cloud Hardening: Secure all cloud accounts with strong passwords and mandatory MFA (M1032 - Multi-factor Authentication). Regularly audit IAM roles and permissions to enforce the principle of least privilege.
Data Classification and Access Control: Classify data based on sensitivity. Highly sensitive documents like port safety plans should be stored in a highly restricted environment with strict access controls, encryption, and robust auditing (M1022 - Restrict File and Directory Permissions). Access should be logged and reviewed regularly.

The attackers exploited 'insecure cloud accounts'. This points to a failure in configuration hardening. Organizations must use a Cloud Security Posture Management (CSPM) tool to continuously scan their Azure and Microsoft 365 environments for misconfigurations. For the port authority, this would involve: 1) Identifying and remediating overly permissive IAM roles. 2) Eliminating public access to storage containers (e.g., Azure Blobs, SharePoint sites) that hold sensitive data. 3) Enforcing conditional access policies that restrict logins to known devices and compliant endpoints. 4) Disabling legacy authentication protocols that do not support MFA. A hardened cloud configuration reduces the 'blast radius' of a compromised account, preventing an attacker from easily escalating privileges or accessing sensitive data stores like the port safety plans.

Anubis Ransomware Attack on Adriatic Port Highlights Maritime Security Risks