Port of Seattle refuses to pay Rhysida ransom, warns of data leak

The Port of Seattle refused to pay a ransom to cybercriminals that caused issues at the city’s airport and seaport ahead of the Labor Day holiday, officials confirmed on Friday.

In a statement, they said the attack was launched by the Rhysida ransomware group — which is responsible for recent attacks on the city of Columbus, Ohio and several leading hospitals.  

The hackers “may respond by posting data they claim to have stolen on their darkweb site,” according to the Port, which manages the city’s airport. 

“Our investigation of what data the actor took is ongoing, but it does appear that some Port data was obtained by the actor in mid-to-late August,” they said. They did not say when they will know the contents of what was stolen but pledged to contact those affected — including about “employee or passenger personal information.”

Steve Metruck, executive director of the Port of Seattle, said they are making progress in restoring affected systems but “paying the criminal organization would not reflect Port values or our pledge to be a good steward of taxpayer dollars.” 

The preliminary investigation into the incident — which caused viral scenes of airport workers writing flight information on dry erase boards and airlines routing thousands of bags with pen and paper — confirmed the hackers were able to encrypt some systems and data.

At its peak, the encryptions and the resulting system disconnections took down port services like “baggage, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking.” 

“Our team was able to bring the majority of these systems back online within the week, though work to restore some systems like our external website and internal portals is ongoing,” they said. 

Throughout the attack, which they said started on August 24, port officials reiterated that it was safe to fly through the airport and that they were able to make due with pen, paper and other tools. 

They have not seen any new activity from the hackers since the initial attack, but “remain on heightened alert and are continuously monitoring our systems. 

Law enforcement agencies and cybersecurity experts were involved in the recovery process from the beginning, they said. 

Rhysida continues to be among the most damaging ransomware operations currently launching attacks. 

The group left the famed British Library disabled for weeks and in addition to its attacks on the governments of cities like Columbus and federal agencies in Kuwait, the group’s extortion of a Chicago children’s hospital and Christmas season attack on a global Christian charity have caused outrage.

Correction: A previous version of the story incorrectly stated that the attack shut down the airport.