Anubis Ransomware Hits Italian Adriatic Port Authority, Exposing Maritime Security Gaps
The Anubis ransomware group breached the Adriatic Port Authority in Italy, stealing sensitive operational data and demanding a $10 million Bitcoin ransom, highlighting growing maritime cyber risks.
The Anubis ransomware group has breached the Adriatic Port Authority (Autorità di Sistema Portuale del Mare Adriatico Centrale), which operates the Italian port of Ancona, stealing sensitive operational data and demanding a $10 million Bitcoin ransom. The attack, detailed in a June 11 analysis by threat intelligence firm Resecurity, underscores the escalating vulnerability of maritime infrastructure to ransomware-driven extortion.
The breach dates back to December 11, 2025, and was attributed to Anubis in January 2026, when the group listed the port authority on its data leak site and released stolen data. The port authority stated that approximately 2% of its data was lost, with backups preserving the rest, and described most of the stolen material as public or soon-to-be-public. However, employee records reached the dark web, and Resecurity's account painted a more dire picture: crippled operations, rerouted vessels, and a reported $10 million Bitcoin ransom demand.
The stolen data, according to Resecurity, included contracts, employee records, and critically, port safety plans and details of security operations—information prized by groups involved in smuggling or insider recruitment. The attackers gained initial access through a spear-phishing email targeting staff at the company that manages the port, then moved laterally to core systems. Notably, the attack did not target operational technology (OT); it exploited IT weaknesses such as insecure cloud accounts managing Office 365 and Azure.
Anubis surfaced in December 2024 and launched an affiliate program in February 2025, renting out its toolkit through a ransomware-as-a-service (RaaS) model built around double extortion. The group offers affiliates 80% for deploying ransomware, 60% for data extortion, and 50% for initial access brokers—a model it boasts has earned more than $20 million, with victims across healthcare, construction, and engineering. Resecurity tied the group to mass exploitation of internet-facing systems, often via known but unpatched flaws, including SonicWall VPNs without multi-factor authentication, SolarWinds Web Help Desk (CVE-2025-26399), Cisco SSL VPNs, and the CitrixBleed 2 flaw (CVE-2025-5777).
The attack on the Adriatic Port Authority is part of a broader trend of ransomware hits on ports, from Maersk to Japan's Nagoya. Resecurity warned that outdated port IT and thin cyber maturity leave the sector exposed as digitization widens the attack surface, a growing maritime security concern expected to deepen through 2030. The incident serves as a stark reminder that critical transportation infrastructure remains a prime target for financially motivated cybercriminals.
In response, the port authority has implemented additional security measures and is working with law enforcement. The attack highlights the need for maritime organizations to strengthen their cybersecurity postures, particularly around phishing defenses, cloud security, and patch management. As ransomware groups like Anubis continue to evolve their tactics, the maritime sector must prioritize cyber resilience to prevent future disruptions that could have cascading effects on global supply chains.