Anubis Hit Port of Ancona for $10M; The Dark Fleet Is the Other Half

Anubis ransomware hit Italy’s Port of Ancona in December 2025, and the group publicly claimed credit on January 14, 2026 with a $10 million bitcoin demand and a seven-day deadline. In June 2026, the U.S. Coast Guard told the Wall Street Journal that tankers in the dark fleet, sanctioned oil carriers from Iran and Russia, are running digital tools that risk the safety of ships, crews, and the environment. The two stories point to a maritime sector whose digital buildout has become its own attack surface, hit from opposite ends.

The Port of Ancona’s loss shows the surface extends to ordinary enterprise IT. Maritime’s parallel investment in shadow-fleet comms shows the same surface can be turned to offense.

The Phishing Email That Shut Down a Port

Italy’s Adriatic Port Authority oversees the Port of Ancona and runs the digital systems that handle cargo, customs, and crew logistics on the central Adriatic coast. Researchers at Resecurity traced the December 2025 compromise to a single spear-phishing email sent to an employee, according to threat intelligence re-reported by Industrial Cyber. Anubis took public credit for the breach in mid-January, the same reporting shows.

The attackers moved laterally, escalated privileges, and exploited unpatched systems. The ransomware encrypted systems supporting cargo tracking, shipping schedules, and customs processing. It also exfiltrated sensitive data, including contracts, employee records, and information about port security operations. Resecurity wrote that the attackers ‘targeted employees of the company that manages the Port Authority, considering them the weakest link in the chain due to their privileged access to the production systems and applications,’ per the full Anubis breach analysis.

What $10 Million in Bitcoin Buys

The Anubis operators demanded $10 million in bitcoin and threatened to publish the stolen data on the dark web if the demand was not met within seven days. The data was the leverage. Resecurity noted that the actors went after safety plans and information about security operations, with the firm warning that ‘such details may be extremely valuable to organized crime involved in smuggling, contraband, and insider recruitment.’

Authorities generally advised against paying the ransom. Reports indicated negotiations may have occurred to buy time for recovery, and the port authority worked with external threat-hunting specialists to contain the incident.

Recovery was slowed by outdated backup protocols, and the port authority’s IT team isolated affected systems to prevent the ransomware from spreading further. The bitcoin payment demand is not an isolated case of state-linked actors using crypto at sea. Iran’s state media this spring floated a separate plan to collect bitcoin-denominated insurance premiums from cargo owners moving through the Strait of Hormuz, captured in a separate report on Iran’s bitcoin insurance play for the Strait of Hormuz.

The Dark Fleet’s Hidden Network

On June 16, the Wall Street Journal published an exclusive based on a U.S. Coast Guard report. Coast Guard examiners had found that tankers ferrying sanctioned oil from Iran and Russia, the dark fleet, are running digital tools that risk the safety of the ships, their crews, and the environment. The WSJ’s exclusive post drew more than 53,000 views within hours, per the U.S. Coast Guard’s dark-fleet digital tools finding.

The technology on board enabled the vessels to maintain communications, coordinate activities, and obscure operational visibility, the Coast Guard’s findings show. It let sanctioned operators move crude across oceans while avoiding enforcement. The tools went beyond old-school evasion; they formed a coherent, networked digital infrastructure. That infrastructure let crews stay in touch, coordinate with sister ships, and stay invisible to monitoring systems.

The same week, the U.S. boarded a fifth sanctioned oil tanker, the Olina, as part of a broader blockade enforcement effort. France’s navy separately seized the Grinch, a shadow tanker carrying Russian oil, in the Mediterranean. Over 1,400 dark-fleet ships have moved sanctioned oil for years, according to a separate WSJ count, and many of the most-watched vessels now cluster east of Malaysia with no insurer identified.

The dark fleet’s tech is not improvised. Josh Marpet, senior product security consultant at Finite State, argues the communications and reconnaissance systems on these tankers are built on long-term, nation-state-level attempts to bypass blockades. The capabilities include private cell networks, radar, LiDAR, and scouting systems that warn tankers about searching vessels. Marpet said the reconnaissance infrastructure takes significant money and time to build. The pattern, he argued, mirrors what drug cartels have used for years to evade wiretaps.

Two Attacks, One Attack Surface

The Anubis claim against the Port of Ancona and the Coast Guard’s dark-fleet findings look like two different stories. One is a criminal ransomware crew extorting a port. The other is a government-monitored sanctions-evasion network. They share a digital foundation: a layer that maritime has built faster than its security has caught up.

The Anubis attackers entered through ordinary Office 365 and Azure accounts, not operational technology. The dark-fleet operators built a digital fortress that monitors have to crack. The common thread is the information layer: a phishing email compromised port IT, and a private satellite network helps sanctioned tankers vanish from monitors. The bottleneck is the same layer of bits and signals in both attacks. Whether the goal is a $10 million bitcoin payment or a sanctions-free voyage, the dependency is on the same digital backbone.

The Anubis Group Profile

Anubis is a ransomware-as-a-service operation that emerged in December 2024, according to Barracuda’s research. The group runs affiliate programs with revenue splits ranging from 50% to 80%, depending on the channel. Its differentiator is a destructive wiper that overwrites targeted files to zero bytes, leaving filenames intact, per the Anubis RaaS technical playbook.

• The wiper function is activated by a command-line parameter set before the attack runs.
• Encrypted files are renamed with the .anubis file extension.
• Ransom notes appear as RESTORE FILES.html in every affected directory.
• Anubis targets include Australia, Canada, Peru, and the United States.
• The data-extortion channel requires stolen data to be no older than six months.

The wiper raises a strategic question. If a victim’s files are overwritten, there is no reason to pay for decryption. The Anubis operators can still demand payment in exchange for not leaking the data, or sell the stolen data on the affiliate network. The result is a triple-threat operation: encrypt, leak, or wipe. A victim that refuses to pay for decryption can be extorted over stolen data and attacked again as the source files are destroyed.

Researchers believe Anubis operators are based in Russia or other Commonwealth of Independent States, based on Russian-language forum activity on RAMP and XSS. The group prohibits attacks on former Soviet states and specifically requests initial access to Western countries. Past victims include Disneyland Paris, Parkway Construction, an architecture firm involved in defense and aerospace facility construction, and Catawba Two Kings Casino.

The Anubis operation also has a hybrid revenue model. The traditional RaaS channel takes 20% and gives affiliates 80%. Under a separate data-extortion channel, affiliates hand over already-stolen data and collect 60% of what Anubis extracts. A third access-monetization track pays 50% to brokers who hand over corporate network credentials.

What the Experts See

John Strand, the owner of Black Hills Information Security, said the Anubis breach shows threat actors are increasingly strategic about which entry points they choose. ‘Attacks like this continue to demonstrate that threat actors are increasingly strategic in how they target systems. They are focusing on points of entry that allow them to maximize impact across multiple industries. By doing so, they significantly increase both the likelihood of receiving payment and the overall size of the payout.’ For ports, the next attack is more likely to be strategic, with attackers choosing entry points that maximize disruption across industries. State-linked actors have already shown they can wear ransomware masks, as an Iran-linked group called MuddyWater did in a three-month campaign documented in a separate report on how MuddyWater hid behind a ransomware brand.

If we’re seeing the same behavior come out of unsanctioned oil operations, then we’re talking about systems that have risen out of long-term nation state-level attempts to bypass other nation state’s blockades and sanctions.

Josh Marpet, senior product security consultant at Finite State, drew a direct line between the dark-fleet tankers and the playbook drug cartels have used for years. The cartels have long relied on private cell phone networks, radar, and LiDAR to evade wiretaps and maintain communications, he said, and the dark-fleet tankers run a similar stack. The infrastructure costs and effort rule out an improvised setup, Marpet said, and the capability points to a cyber security group or military cyber warfare group with signals-intelligence functions.

Frequently Asked Questions

What is the Anubis ransomware group?

Anubis is a ransomware-as-a-service operation that emerged in December 2024. The group’s signature trait is a destructive file-wiping function that overwrites targeted files to zero bytes while leaving filenames intact, a capability that removes the leverage of a decryption key, according to Barracuda. The group runs three revenue channels, with affiliate revenue splits ranging from 50% to 80%.

How did attackers breach Italy’s Port of Ancona?

Attackers entered through a spear-phishing email sent to an employee of the Adriatic Port Authority, Resecurity’s analysis shows. From that single email, the attackers escalated privileges and moved laterally across the network, encrypting cargo tracking, shipping schedules, and customs processing systems before exfiltrating contracts, employee records, and information about port security operations.

What did the U.S. Coast Guard find on dark-fleet tankers?

The U.S. Coast Guard found that tankers ferrying sanctioned oil from Iran and Russia are running digital tools that risk the safety of the ships, their crews, and the environment. The Wall Street Journal reported the findings on June 16, 2026. The technology enabled the vessels to maintain communications, coordinate activities, and obscure operational visibility while avoiding sanctions enforcement.

How much did the Anubis gang demand from the port?

Anubis demanded $10 million in bitcoin with a seven-day deadline, threatening to publish contracts, employee records, and information about port security operations on the dark web. Recovery was slowed by outdated backup protocols, and the Port Authority isolated affected systems and brought in external threat-hunting specialists to contain the incident.

What makes the maritime sector an attractive target?

Maritime is attractive for two reasons. First, ports run on enterprise IT systems like Office 365 and Azure, with the same phishing and privilege-escalation risks as any other enterprise, and the Anubis attack entered through that exact layer. Second, downtime is unusually costly: the Port of Ancona could not process incoming and outgoing shipments during the attack, forcing vessels to reroute to alternative ports and disrupting normal cargo operations, Resecurity reported. The dark-fleet findings show the same digital layer is also attractive for offensive use, not just defensive risk.