A ransomware group less than two years old has struck at the heart of Italian maritime infrastructure — and analysts say the industry's digital vulnerabilities make it an increasingly attractive target well into the decade

June 16, 2026

On December 11, 2025, a spear-phishing email landed in the inbox of an employee at a company managing Italy's Port of Ancona. Whoever opened it had no way of knowing they had just handed a criminal organisation the keys to one of the Adriatic's most strategically important transport hubs. By January 2026, the Anubis ransomware group had publicly claimed the attack on its dark web leak site, publishing approximately 56,000 stolen files and reportedly demanding $10 million in Bitcoin for the return of operations.

The Adriatic Port Authority (Autorità di Sistema Portuale del Mare Adriatico Centrale) said the breach ultimately affected around 2% of its total data, with backups preserving most of the rest. It described the stolen material as largely public or soon-to-be-public — with the notable exception of employee records, which reached the dark web. Threat intelligence firm Resecurity, which published its detailed analysis of the attack on June 11, 2026, told a more turbulent story: crippled operations, rerouted vessels, and a ransom demand calibrated for maximum pressure on a port that handles millions of tonnes of cargo annually.

The gap between those two accounts — the official and the forensic — reflects a tension that has become standard in maritime ransomware incidents. Port authorities are acutely aware that public disclosure of operational disruption can damage commercial relationships, destabilise insurance positions, and invite further scrutiny. Attackers, conversely, have every incentive to amplify the claimed impact during negotiations. The truth, in most cases, lives somewhere in between — and the consequences are real regardless of which version prevails.

Anatomy of the Attack

Resecurity's reconstruction of the Ancona incident provides a detailed picture of how a financially motivated criminal group can bring a national transport authority to its knees without touching a single piece of operational technology.

The attack followed a textbook progression. A spear-phishing email — targeted at staff at the company responsible for managing port operations — carried a malicious attachment. Once opened, it provided the attacker with initial access to the network. Lateral movement followed: the attackers traversed the internal environment, escalating privileges and identifying high-value data stores, before ultimately exfiltrating their prize and deploying ransomware.

What is particularly significant about the Ancona attack is what it did not require. Resecurity noted that the attackers never needed to target operational technology — the ship guidance systems, cargo handling infrastructure, and terminal control systems that directly govern physical port operations. They achieved their impact entirely through IT weaknesses: insecure cloud accounts managing Office 365 and Azure environments, the kinds of misconfigured corporate infrastructure that exist in thousands of organisations worldwide.

The data stolen went well beyond employee records. According to Resecurity, the haul included contracts, internal communications, and — most critically — port safety plans and details of security operations. This category of material is of interest far beyond the ransomware economy. Safety plans detailing physical access controls, security patrol schedules, and emergency response procedures are precisely the intelligence prized by criminal networks involved in smuggling, insider threat recruitment, and physical infiltration. A ransomware attack that monetises through encryption is also, potentially, an intelligence operation that monetises through a very different market.

Who Is Anubis?

The group behind the attack emerged in December 2024, surfacing on Russian-language cybercrime forums under what analysts believe was an earlier codename: Sphinx. Early samples of Sphinx ransomware lacked a Tor site and unique victim identifiers — signs of either active development or operator inexperience. By February 2025, a threat actor using the alias "superSonic" had advertised a "new format" affiliate program on the RAMP cybercrime forum, and Anubis was formally open for business.

Operational indicators suggest Anubis operators are Russian-speaking and likely operate within or around CIS regions. Their targeting patterns consistently exclude former Soviet states — a behaviour common among Russian-aligned ransomware groups that reflects both cultural affinity and, in some cases, tacit tolerance from local authorities for operations directed outward.

Anubis is unrelated to the older Android banking malware of the same name, and distinct from the Anubis backdoor historically associated with the FIN7 financial crime group. The name is the only shared feature.

The Business Model

What distinguishes Anubis from earlier ransomware operations is the sophistication of its commercial structure. Rather than a flat revenue split, the group offers a tiered affiliate program calibrated to different types of criminal involvement:

• 80% to affiliates who deploy ransomware directly against targets
• 60% to affiliates who conduct data extortion without encryption
• 50% to initial access brokers who sell network entry points into organisations, enabling Anubis affiliates to skip the intrusion phase entirely

This modular approach allows Anubis to recruit different types of criminal specialists — hackers who are skilled at initial compromise but not at ransomware deployment, extortionists who prefer data theft over disruptive encryption, and brokers who maintain portfolios of pre-compromised access — and plug them into a common operational and monetisation infrastructure.

Trend Micro analysts, writing in June 2025, described Anubis as "an emerging ransomware-as-a-service group that adds a destructive edge to the typical double-extortion model with its file-wiping feature." That edge is significant: Anubis ransomware includes an optional wipe mode that permanently overwrites file contents, rendering recovery impossible even if a ransom is paid. This capability fundamentally alters the extortion dynamic. The implied threat is no longer "pay us or we publish your data" — it is "pay us or your data is gone forever."

The group boasts that its model has earned more than $20 million since launch, with confirmed victims spanning healthcare, construction, and engineering across Australia, Canada, the United States, and Europe. The Adriatic Port Authority is its most consequential infrastructure target to date.

Exploitation Toolkit

Resecurity tied Anubis affiliates to mass exploitation of internet-facing systems via known but unpatched vulnerabilities — what the security community calls N-days: flaws that have been publicly disclosed and theoretically patched, but which remain exploitable at organisations that have not kept pace with updates. The group's documented initial access vectors include SonicWall VPNs lacking multi-factor authentication, SolarWinds Web Help Desk (CVE-2025-26399), Cisco SSL VPNs, and CitrixBleed 2 (CVE-2025-5777).

None of these are zero-day exploits requiring novel research. They are known, documented, patched vulnerabilities — which makes their continued effectiveness a damning assessment of patch management discipline across the sectors Anubis targets.

A Pattern, Not an Anomaly

The Ancona attack does not exist in isolation. It is the latest chapter in a documented pattern of ransomware targeting maritime infrastructure that has accelerated sharply over the past decade — and whose trajectory shows no sign of reversal.

The foundational case study is Maersk in 2017, when NotPetya — the Russian state-sponsored wiper malware — struck the world's largest container shipping company as collateral damage in an operation targeting Ukrainian businesses. NotPetya infiltrated 45,000 devices and 4,000 servers across 600 Maersk locations worldwide within minutes. Staff reverted to WhatsApp messages and handwritten notes to keep goods moving. The disruption cost Maersk an estimated $250 to $300 million — making it one of the costliest cyberattacks in corporate history at the time. It was not even Maersk's adversary. The company simply happened to use the same accounting software as the intended targets.

In July 2023, the Port of Nagoya — Japan's largest port, handling approximately 10% of the country's international trade — was shut down for several days by LockBit 3.0 ransomware, which encrypted the port's computerised container handling system. The Nagoya Harbor Transportation Association was unable to process container loading and unloading operations until systems were restored from backups.

In November 2023, DP World Australia, which manages approximately 40% of Australia's maritime freight, suspended operations across terminals in Sydney, Melbourne, Brisbane, and Fremantle following a cybersecurity breach. Operations at four of the country's five busiest port terminals were simultaneously affected.

The maritime cyber incident rate has continued climbing. According to CYTUR's 2026 Maritime Cyber Threat White Paper, the number of maritime cyber incidents in 2025 surged by 103% compared to 2024. The Port of Los Angeles now fends off an estimated 40 million cyber attacks per month — double pre-pandemic volumes.

Why Ports Are Uniquely Vulnerable

Resecurity's analysis of the Ancona attack frames a broader structural problem: the maritime sector's accelerating digitalisation is dramatically expanding its attack surface at a rate that far outpaces the development of cyber defences.

Ports are inherently complex, multi-stakeholder environments. A single port authority may operate or depend upon dozens of interconnected systems — terminal operating systems, customs clearance platforms, cargo tracking software, vessel traffic services, CCTV and access control infrastructure, and administrative platforms like the Office 365 and Azure environments exploited at Ancona. Each integration point is a potential entry vector. Each third-party vendor or managed service provider is a potential supply chain risk.

The economic pressure to digitise — to achieve the efficiency gains from automation, real-time tracking, and predictive logistics — is intense and commercially essential. But the cybersecurity investment to secure that digitisation has, in most port authorities globally, not kept pace. Outdated IT infrastructure, thin in-house security expertise, and the complexity of legacy operational technology environments that were never designed for network connectivity combine to create exactly the conditions that ransomware operators like Anubis are designed to exploit.

Critically, as the Ancona attack demonstrates, attackers do not even need to touch OT systems to cause significant disruption. A purely IT-based compromise — of the kind accessible through a single phishing email and misconfigured cloud accounts — is sufficient to cripple administrative operations, reroute vessels, delay cargo, and create the operational pressure under which organisations are most likely to pay.

Resecurity has projected that cyberattacks against port authorities and maritime operators will intensify markedly through 2030, as continuing digitisation widens the attack surface and criminal groups — as well as state actors — recognise the leverage that port disruption provides. A paralysed port is not merely an economic event. It is, as Resecurity's analysts noted, a demonstration that cyber attacks on maritime infrastructure can inflict disruption and economic damage comparable to kinetic military action.

The United Nations Security Council acknowledged this dimension explicitly at a high-level open debate in May 2025, highlighting cyberattacks and the malicious use of AI as critical risks to international shipping, global trade stability, and maritime security.

The Intelligence Risk Beyond the Ransom

The Ancona breach contains a dimension that the ransomware framing can obscure. The stolen port safety plans and security operations details are not merely embarrassing disclosures. They are operational intelligence of the kind that organised crime networks — smuggling organisations, insider threat recruiters, illicit cargo operators — are willing to pay for.

Ports are among the most challenging environments for detecting physical smuggling. They rely on layered security protocols, risk-based container inspection regimes, and intelligence from law enforcement partners. A detailed safety plan revealing patrol schedules, access point configurations, security camera blind spots, and response procedures to defined incident types is a significant degradation of that layered defence — potentially more damaging in its long-term effects than the operational disruption of the ransomware itself.

Resecurity noted this dual-use dimension explicitly, and it points to a threat model that goes beyond financially motivated ransomware. Nation-state actors, the firm observed, can use precisely the same tactics, techniques, and procedures as Anubis to achieve their own objectives at maritime infrastructure — both for grey-zone operations in peacetime and as components of broader conflict strategies.

What Needs to Change

The Ancona attack — like the Nagoya attack before it, and the DP World attack before that — is a demonstration of known, preventable failures. The initial access came through a phishing email. The lateral movement exploited insecure cloud account configurations. The exploit toolkit relied on known, patched vulnerabilities that remained unpatched.

None of this required novel adversary capability. All of it required only that defenders had not done the fundamentals.

For maritime infrastructure operators, the priorities are clear: mandatory multi-factor authentication across all internet-facing systems; rigorous and timely patching of known vulnerabilities, particularly in VPN and remote access infrastructure; network segmentation to limit the blast radius of any individual compromise; regular offline backups tested for restoration; and cybersecurity training that treats spear-phishing as an organisational risk, not an individual employee failure.

The backups at Ancona meant the port authority recovered most of its data. The employee records, the contracts, and the security plans are still on the dark web. In maritime security, as in so many other domains, the difference between a recoverable incident and a lasting compromise is often determined long before the attackers arrive.

Sources: Infosecurity Magazine, Resecurity, Ports Europe, Trend Micro, KELA Cyber, Barracuda Networks, SOCRadar, CYTUR 2026 Maritime Cyber Threat White Paper, Dragos, Crisis24