An attack by the Anubis ransomware group on a port authority on the Adriatic has been cast as a warning to maritime infrastructure.

New analysis, published on June 11 by threat intelligence firm Resecurity, examined a cyber-attack which saw Anubis list the Adriatic Port Authority on its data leak site. 

The Adriatic Port Authority (Autorità di Sistema Portuale del Mare Adriatico Centrale), which runs the Italian port of Ancona, said the breach dated back to December 11 2025 and was attributed to Anubis in January 2026, when the group claimed it and leaked the data.

The authority put the loss at about 2% of its data, with backups preserving the rest, and described most of the stolen material as public or soon-to-be-public, though employee records reached the dark web. 

Resecurity's account went further, describing crippled operations, rerouted vessels and a reported $10m Bitcoin ransom demand.

Read more on ransomware at ports: Nagoya Port Faces Disruption After Ransomware Attack

The stolen data, according to Resecurity, included contracts, employee records and, more sensitively, port safety plans and details of security operations, the kind of information prized by groups involved in smuggling or insider recruitment.

The firm believes the attackers gained access through a spear-phishing email targeting staff at the company that manages the port, then laterally moved to core systems.

It said the attack did not need to target operational technology, working purely through IT weaknesses such as insecure cloud accounts managing Office 365 and Azure.

The Anubis Affiliate Machine

Anubis surfaced in December 2024 and launched an affiliate program in February 2025, renting out its toolkit through a ransomware-as-a-service (RaaS) model built around double extortion. It is unrelated to the older Android banking malware of the same name.

Rather than a flat cut, the group offers affiliates 80% for deploying ransomware, 60% for data extortion and 50% for initial access brokers. A model it boasts has earned more than $20m, with victims across healthcare, construction and engineering.

Resecurity tied the group to mass exploitation of internet-facing systems, often via known but unpatched flaws, including:

• SonicWall VPNs left without multi-factor authentication

• SolarWinds Web Help Desk (CVE-2025-26399)

• Cisco SSL VPNs

• The CitrixBleed 2 flaw (CVE-2025-5777)

Beyond the port itself, Resecurity placed the attack in a run of ransomware hits on ports, from Maersk to Japan's Nagoya, and warned that outdated port IT and thin cyber maturity leave the sector exposed as digitization widens the attack surface, a growing maritime security concern it expects to deepen through 2030.