New cyber threat intelligence from Resecurity provided further details on the Anubis ransomware group, which targeted the Adriatic Port Authority in a cyberattack that disrupted maritime logistics and exposed the growing risks facing critical transportation infrastructure. Hackers allegedly gained initial access through a spear-phishing email, then moved laterally across the network by exploiting unpatched vulnerabilities and escalating privileges. The attack encrypted systems supporting cargo tracking, shipping schedules, and customs processing and exfiltrated sensitive data, including contracts and employee records.
Resecurity reported that hackers demanded a US$10 million bitcoin ransom and threatened to publish stolen information if payment was not made within seven days. The incident underscores how attacks against traditional IT environments can generate significant operational consequences in cyber-physical sectors without directly targeting OT (operational technology) systems.
The Adriatic Port Authority (Autorità di Sistema Portuale del Mare Adriatico Centrale), which oversees the Port of Ancona in Italy, was initially compromised last December. The breach was subsequently attributed to the Anubis ransomware gang in January 2026, when the group publicly took credit for the attack and released the exfiltrated information.
The Resecurity post noted that the compromise affected maritime trade across the Adriatic region, forcing shipment disruptions and vessel rerouting while exposing weaknesses in aging port infrastructure and cybersecurity practices. The company warned that port authorities remain attractive targets for ransomware groups due to expanding digitalization, interconnected logistics platforms, and often limited cybersecurity maturity, factors that are expected to drive increased attacks against maritime supply chains and critical infrastructure through the remainder of the decade.
The attack on the Adriatic Port Authority was a targeted operation that demonstrates how nation-state actors could employ similar tactics, techniques, and procedures in gray-zone activities or broader geopolitical conflicts involving maritime infrastructure. According to Resecurity, the intrusion likely began with a spear-phishing email sent to employees that contained a malicious attachment. Once opened, the attachment deployed ransomware within the organization’s network.
After establishing an initial foothold, the attackers reportedly used privilege escalation techniques and exploited unpatched vulnerabilities to move laterally across the IT environment and gain access to critical systems. The ransomware encrypted thousands of files, disrupting access to essential functions such as cargo tracking, shipping schedules, and customs processing. Hackers also exfiltrated sensitive information, including contracts and employee records.
The Anubis ransomware group subsequently demanded a ransom payment of $10 million in Bitcoin and threatened to publish the stolen data on the dark web if the demand was not met within seven days. A ransom note left by the attackers warned of significant consequences should the organization refuse to comply.
The post highlighted that the attack caused significant disruption across the Adriatic region’s maritime trade and logistics sector. The Adriatic Port Authority was unable to process incoming and outgoing shipments, forcing vessels to reroute to alternative ports and disrupting normal cargo operations. The resulting downtime led to millions of dollars in economic losses, while businesses dependent on the port experienced supply chain delays and operational setbacks.
Moreover, the breach damaged confidence in the port authority’s ability to protect its digital infrastructure and maintain operational resilience. More broadly, the incident underscored the continued attractiveness of critical infrastructure sectors, including ports, airports, and power grids, as targets for ransomware groups.
“The attackers targeted employees of the company that manages the Port Authority, considering them the weakest link in the chain due to their privileged access to the production systems and applications,” according to the Resecurity post. “An important area targeted by the attackers is safety plans and information about security operations. Such details may be extremely valuable to organized crime involved in smuggling, contraband, and insider recruitment.”
The researchers added that in the case of the Anubis Ransomware, the attack did not require any specific targeting of OT infrastructure. The malicious activity was conducted strictly by exploiting IT system vulnerabilities. For instance, insecure accounts managing Office 365/Azure, but this resulted in effects within the cyber-physical domain.
Following the attack, the Adriatic Port Authority worked with cybersecurity firms and law enforcement agencies to contain the incident and restore operations. The authority’s IT team isolated affected systems to prevent the ransomware from spreading further, while external threat-hunting specialists conducted forensic investigations to determine the root cause of the breach. Recovery efforts focused on restoring encrypted data from backup systems, although the use of outdated backup protocols reportedly slowed the restoration process.
Authorities generally advised against paying the ransom in order to avoid encouraging future attacks, though reports indicated that negotiations may have occurred to gain additional time for recovery activities. Throughout the response, the Adriatic Port Authority issued public statements aimed at reassuring partners, customers, and stakeholders that measures were underway to restore full operational functionality and strengthen resilience against future cyber threats.
In conclusion, the Resecurity post noted that the Anubis ransomware attack on the Adriatic Port Authority underscores the growing threat posed by sophisticated cybercriminals targeting critical sectors. As the global economy becomes increasingly interconnected, governments and organizations must invest in robust cybersecurity measures to protect vital infrastructure from future attacks.
“This incident serves as a stark reminder that no entity is immune to cyber threats, and proactive preparation is the best defense against the escalating ransomware epidemic,” it added. “Ransomware is a serious, escalating threat to port authorities and maritime operations. Real-world attacks have disrupted global shipping, exposed critical technical vulnerabilities, and caused significant financial and operational damage. The threat landscape is intensifying, with sophisticated ransomware groups targeting maritime infrastructure and supply chains, prompting urgent regulatory and cybersecurity responses.”
Recent incidents across the agriculture, pharmaceutical, and water sectors highlight the widening cyber threat landscape facing critical infrastructure operators. A cyberattack on Australia’s Mackay Sugar disrupted milling operations and logistics processes, demonstrating how attacks on industrial enterprises can quickly affect production and supply chains. In the pharmaceutical sector, Novo Nordisk disclosed unauthorized access to internal IT systems and the theft of sensitive clinical trial data, underscoring the value of healthcare and life sciences organizations as targets for cybercriminals seeking access to proprietary research and patient-related information.
Meanwhile, Iran-linked Handala group’s claimed compromise of California Water Service (Cal Water) highlighted how intrusions into utility IT environments can expose potential pathways toward operational systems, raising concerns about the broader risks posed by IT-OT convergence.
