Ransom Deadline Given By LockBit in Port of Lisbon Attack

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Dec 29, 2022 01:45 pm PST

The third largest port in Portugal has gone offline after the gang launched a ransomware attack on Christmas Day. Although this does not affect its operational activity, there has been nearly a week of extreme ambiguity, and LockBit claimed responsibility for the Port of Lisbon cyberattack.

Visitors can still not access the main website, and no activity has been recorded since the attack. The Port of Lisbon, known as the pillar of the Portuguese economy for hundreds of years, brought commerce and employment to the people.

The threat group has set January 18 as the deadline for payment and has stated that failure to do so could be detrimental to the Port of Lisbon. If the port fails to meet the demands of the Russian threat actor, the stolen data will be made public. LockBit ransomware gang uploaded Port of Lisbon to its leak site, a darknet website where cybercriminals announce their victims.

LockBit Badly Hit Port Of Lisbon And Made Demands.

According to the threat group’s post, the stolen data includes financial reports, company audits, budgets, contracts, cargo, ship logs, information about crew members, personal data of customers, and port documentation, among other vital Port of Lisbon information.

The unexpected drop in website uptime suggests that some critical infrastructure has been compromised. According to Portugal’s national daily newspaper Pblico, the corporation stated, “all security protocols and emergency mechanisms established for this type of situation were swiftly implemented.”

LockBit, on the other hand, has put the port authorities in a bind by providing bargaining alternatives to protect the data. To coerce victims into paying the ransom, threat actors would often make public whatever files were compromised. LockBit requests nearly $ 1.5 million to download or delete the data obtained.

According to the report, security protocols have begun to mitigate the attack, and the National Cybersecurity Center and the Judiciary Police are monitoring the situation. The Port of Lisbon Administration (APL) is also working with competent authorities to minimize damage and protect the port’s systems, security, and data.

Operations In Port Of Lisbon In Portugal

The Port of Lisbon is Portugal’s most prominent and busiest port, as well as a major transportation hub. It receives over 3,500 ships per year and handles 13.2 million tonnes of cargo and 555,000 TEU (twenty-foot equivalent units).

It is divided into two sections: commercial and recreational ports. The commercial port is in charge of a wide range of cargo, such as container ships, bulk carriers, and roll-on/roll-off (RoRo) vessels.

This port is critical to the city of Lisbon’s economy, serving the manufacturing, industrial, and tourism sectors. Lisbon port, in addition to its commercial function, is a popular tourist destination, attracting recreational boaters and yachts.

Various advanced technologies have been implemented by the port over the years to improve efficiency, reduce environmental impacts, and improve safety and security. These technologies are linked to electronics and computers, and a cyber-attack on any of these technologies or machinery can have serious consequences for the city and its residents.

Previous Attacks By The Notorious CyberGang

Over 1,200 businesses worldwide fell victim to LockBit in 2022, making them the most successful ransomware gang of that year. On the first of this month, the gang’s members broke into the California Department of Finance.

In two successive quarters, LockBit and its associates accounted for nearly a third of all ransomware attacks targeting enterprises, according to research by threat intelligence firm Digital Shadows.

As breaches encourage international cooperation between law enforcement authorities, the gang’s global notoriety is becoming an issue. Credible sources have told Reuters that the FBI is looking into LockBit’s hack of the German auto parts manufacturer Continental.

LockBit’s success can be attributed to the team’s unusually business-focused attitude and the sophistication of its technology. The organization has done things more commonly associated with software companies than criminal cartels, such as establishing a bug bounty program and providing customer assistance.

When My Files Are Encrypted By LockBit, What Should I do?

Like DarkSide and REvil, LockBit is a cybercriminal organization that offers its services as ransomware as a service (RaaS). LockBit uses an affiliate arrangement to make its ransomware platform available to other businesses and individuals. Any ransom money obtained through the use of LockBit is split between the consumer initiating the attack and the LockBit gang.

Malware researchers have linked LockBit to the LockerGoga and MegaCortex families. It uses similar TTP’s as other malicious attacks, such as the capacity to spread automatically to new targets, the use of targeted attacks as opposed to spamming or randomly hitting organizations, and the reliance on underlying tools like Windows PowerShell and Server Message Block (SMB).

  • Immediately cut your computer off from the internet.
  • You should avoid communicating with the aggressors because they are experts at taking advantage of naive individuals and organizations.
  • You should notify the police about the incident. Take a look at our directory to find contact information for the appropriate departments.
  • Make sure the infected device is turned off.
  • Lockbit may keep encrypting your data in the background if you just leave it alone.
  • Consult with professionals. 
  • You need to get some assistance right away.


Over the holidays, a cyberattack was launched on the Port of Lisbon management. The company’s website was down at the time this piece was written, but the administration of Portugal’s third-largest port insisted the attack had no effect on operations. The nature of the incident or its perpetrators was not specified by the Portuguese authorities. However, Port of Lisbon was posted by the LockBit ransomware group to its leak site, a dark web portal where thieves publicize their victims.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Mark Lamb
Mark Lamb , CEO
InfoSec Expert
December 29, 2022 10:26 pm

If the attackers behind this attack are being honest, it looks like they have stolen almost all data belonging to the Port, which will put the business in a very vulnerable position.
Now the data is the hands of the attackers, the Port has two options, ignore the threat and leave the data with the criminals and rebuild from scratch, or pay the demand and hope the attackers delete the data in return. But neither option is favourable.
This incident once again highlights that preventing attacks is far easier than recovering from them.
Organisations must focus on their defences and cyber resilience first.
Defences must be layered, proactive and solid, as any gaps will be exploited by adversaries. Keeping systems up to date, teaching employees to be vigilant for phishing scams and email-based threats, and implementing robust malware detection solutions and zero trust models are all critical pillars that should go into ransomware defences.

Last edited 9 months ago by Mark Lamb

Recent Posts

Would love your thoughts, please comment.x