FlySafe was not operational during this event. This analysis reconstructs publicly available signals — to demonstrate how predictive airspace intelligence could have provided advance warning.
Seattle-Tacoma Airport Ransomware Attack
August 2024 — $6M Ransom, Handwritten Boarding Passes
On August 24, 2024, the Port of Seattle discovered that Rhysida — a ransomware gang linked to Russian-speaking cybercriminals — had infiltrated Seattle-Tacoma International Airport's IT systems. Baggage handling displays, flight information screens, Wi-Fi, the airport website, and the SEA Visitor Pass system all went dark. Check-in kiosks failed. Airlines resorted to handwritten boarding passes. The attackers demanded $6 million in Bitcoin and exfiltrated approximately 90,000 personal records including employee Social Security numbers and passenger data. The Port refused to pay. Systems remained degraded for over three weeks. Sea-Tac is the 8th busiest airport in the United States, serving 50+ million passengers annually.
What Happened
On August 24, 2024, the Port of Seattle — the government body that operates Seattle-Tacoma International Airport (SEA) — detected a ransomware intrusion that would paralyze one of North America's busiest aviation hubs for more than three weeks. The attack was carried out by Rhysida, a Russian-speaking ransomware-as-a-service (RaaS) gang that had previously targeted hospitals, government agencies, and critical infrastructure across Europe and North America. At SEA — the 8th busiest airport in the United States, handling more than 50 million passengers per year and serving as a primary hub for both Alaska Airlines and Delta Air Lines — the consequences were immediate and visceral.
Unlike attacks on flight safety systems, which are physically separated and air-gapped, Rhysida's intrusion penetrated the airport's operational IT layer: the systems that passengers and ground crews depend on for every departure. Baggage handling displays went dark. Flight Information Display Systems (FIDS) across all terminals became inoperable. Public Wi-Fi networks were severed. The airport's public-facing website went offline. Check-in kiosks stopped functioning. Gate agents across the facility reverted to pen and paper, issuing handwritten boarding passes — a scene last common in the pre-digital era of commercial aviation. The Port of Seattle refused to pay the $6 million Bitcoin ransom demanded by Rhysida, triggering the gang's retaliation: the public release of approximately 90,000 stolen records containing employee Social Security numbers and passenger data.
Russian-speaking RaaS group first observed in May 2023. Known for double-extortion tactics — encrypting systems while exfiltrating data for leverage. Prior targets include the British Library, Prospect Medical Holdings, and the Chilean Army. The FBI and CISA issued a joint advisory on Rhysida in November 2023 warning of its aggressive targeting of critical infrastructure sectors.
8th busiest US airport by passenger volume. Over 50 million annual passengers. Primary hub for Alaska Airlines and a major Delta Air Lines gateway to the Pacific Northwest and trans-Pacific routes. Operated by the Port of Seattle, a special-purpose government entity — a common target profile for ransomware groups exploiting underfunded public-sector IT infrastructure.
Warning Signs
The Sea-Tac attack did not emerge from a vacuum. In the months preceding August 2024, a constellation of threat-intelligence signals pointed toward elevated cyber risk for US airport infrastructure — signals that, in hindsight, formed a coherent threat picture. Commercial aviation cybersecurity frameworks, including guidance from CISA and ICAO's Aviation Cyber Security Strategy, explicitly flag IT-OT convergence at large hub airports as a systemic vulnerability. Several precursor indicators were observable through open-source and commercial threat intelligence channels.
Rhysida recorded a 340% increase in claimed victims between Q4 2023 and Q2 2024 following the FBI/CISA advisory. Threat intelligence platforms tracked active Rhysida infrastructure expansion and new affiliate recruitment on dark-web forums through mid-2024. The gang had explicitly pivoted toward government and public-infrastructure entities — a profile that matches a Port of Seattle authority precisely.
The TSA's March 2023 cybersecurity amendments to aviation security programs (49 CFR Part 1542) were still being implemented across major US airports through 2024. Compliance gaps — particularly around network segmentation between passenger-facing IT and operational systems — were documented in GAO reports as recently as 2023. Airports operating under legacy FIDS and baggage IT architectures were flagged as highest-risk.
The 12 months prior to the Sea-Tac attack saw ransomware incidents at Seattle Public Schools, King County-affiliated agencies, and several Washington State municipal bodies. This regional clustering is consistent with affiliate-driven targeting, where Rhysida operators sell access to compromised networks acquired through initial-access brokers who have already established footholds in the region.
Late August represents peak summer travel demand at SEA, with trans-Pacific leisure traffic, returning university students, and Labor Day holiday bookings compressing operational capacity. Ransomware groups deliberately time attacks against infrastructure during high-volume periods to maximize coercive pressure and increase the probability of ransom payment. The timing of August 24 — days before Labor Day weekend — was not coincidental.
Industry-wide, major US airports rely on centralized IT platforms for FIDS, baggage reconciliation, and kiosk management — creating systemic single points of failure. A successful lateral movement from any networked system into these platforms can cascade across all passenger-facing touchpoints simultaneously, as the Sea-Tac event demonstrated.
Timeline
Rhysida affiliates likely achieve initial access to Port of Seattle network infrastructure via phishing or exploited VPN credentials — consistent with the gang's documented intrusion methodology. Dwell time before encryption typically ranges from 17 to 45 days for Rhysida campaigns, suggesting compromise may have occurred as early as July 2024.
Port of Seattle IT teams detect the ransomware deployment. Rhysida's payload encrypts critical operational systems simultaneously. FIDS screens go blank across all SEA terminals. Baggage carousel information displays fail. Check-in kiosks become inoperable. The airport's public website is taken offline as a precautionary measure. Wi-Fi networks across the facility are severed.
Alaska Airlines and Delta Air Lines ground crews — both operating major hub operations at SEA — resort to manual check-in procedures. Gate agents issue handwritten boarding passes. Security screening lines extend as TSA PreCheck and automated lane systems operate at degraded capacity. Passengers report hours-long delays. FBI is notified and launches a federal investigation under its Cyber Division.
Rhysida formally demands $6 million in Bitcoin from the Port of Seattle. The demand is accompanied by proof-of-exfiltration: samples of stolen data including employee personally identifiable information and passenger records. The Port of Seattle convenes emergency sessions with leadership and legal counsel to evaluate the demand.
The Port of Seattle publicly announces it will not pay the ransom, citing FBI guidance against payments and the absence of guarantees that decryption keys would be delivered or that exfiltrated data would not be published regardless. Port Executive Director Steve Metruck confirms the decision, stating the organization would pursue recovery through internal resources and federal assistance.
Following the Port's refusal to pay, Rhysida publishes approximately 90,000 stolen records on its dark-web leak site. The dataset includes employee Social Security numbers, driver's license information, and passenger personally identifiable data. Port of Seattle initiates breach notification procedures under applicable state and federal law. Affected individuals begin receiving notification letters.
Systems are restored progressively over a period exceeding three weeks. FIDS displays return to partial operation. Kiosk functionality is restored terminal-by-terminal. The Port engages external cybersecurity forensics firms to conduct root-cause analysis and harden the network against reinfection. Recovery costs — including forensics, legal fees, system rebuilding, and breach notification — are estimated in the tens of millions of dollars.
The FBI Cyber Division continues its investigation into the Rhysida group. The attack on Sea-Tac contributes to a broader federal intelligence picture on Rhysida's operational infrastructure and affiliate network. No arrests have been publicly announced. The Port of Seattle cooperates fully with federal investigators.
Aviation Impact
No flight safety systems were compromised — avionics, ATC communications, and instrument landing systems operate on air-gapped networks physically isolated from airport IT infrastructure. However, the operational layer of aviation — everything that moves passengers from curb to gate — collapsed almost entirely. The distinction matters: Rhysida demonstrated that an attack does not need to touch a flight management computer to cause system-wide aviation disruption. Operational chaos at scale is achievable purely through passenger services IT.
Rhysida's demand of $6 million in Bitcoin represented a calculated figure — large enough to reflect SEA's scale as an 8th-busiest US airport, but potentially achievable for a government entity facing tens of millions in recovery costs. The Port of Seattle declined to pay, accepting the data leak as an alternative outcome.
The stolen dataset encompassed employee Social Security numbers, driver's license data, and passenger personally identifiable information. Published on Rhysida's dark-web leak site following the Port's refusal to pay. Affected individuals faced ongoing identity theft risk, prompting credit monitoring notifications and potential class-action exposure.
Systems including FIDS, baggage displays, Wi-Fi, website, SEA Visitor Pass, and check-in kiosks remained degraded for more than three weeks post-attack. Alaska Airlines and Delta Air Lines — both operating major hubs at SEA — bore the greatest operational burden, managing high passenger volumes through manual fallback procedures across multiple concourses.
Sea-Tac's passenger volume of over 50 million per year makes it a critical node in North American aviation. During the late-August peak travel window, the airport processes tens of thousands of departures daily across Alaska Airlines, Delta, Southwest, United, and international carriers. Even partial degradation of check-in and baggage systems compresses this throughput significantly.
Takeaway for Airspace Risk Intelligence
The Sea-Tac ransomware event redraws the boundary of what constitutes an aviation risk event. For decades, airspace risk frameworks focused exclusively on meteorological, geopolitical, and technical flight-safety threats — volcanic ash, conflict zones, ATC outages, NOTAMs. The Rhysida attack demonstrates that cyber incidents targeting airport IT infrastructure can produce operational disruptions equivalent in passenger impact to a significant weather event or airspace closure, without touching a single safety-critical system.
From an airspace intelligence perspective, this event belongs in the same risk taxonomy as a major NOTAM system failure (January 2023, FAA), a GPS spoofing campaign (Middle East 2023–2024), or a volcanic ash advisory. All share the same core characteristic: they degrade the operational environment for flights at scale, force airlines into contingency procedures, and create unpredictable passenger flow disruption that cascades across the network. An Alaska Airlines crew positioning at SEA for a trans-Pacific departure on August 24 faced the same fundamental uncertainty as a crew navigating around a volcanic ash cloud — incomplete information, degraded ground support, and manual fallback.
The precursor intelligence was available. Rhysida's escalating activity against public-sector infrastructure, the regional clustering of ransomware incidents in the Pacific Northwest, the known vulnerability profile of FIDS and baggage IT architectures, and the deliberate targeting of peak travel windows — all were observable signal. The gap was integration: no platform synthesized cyber threat intelligence with airport operational risk profiles and surfaced the combined signal to operators who needed it.
FlySafe's cyber-operational risk layer monitors threat intelligence feeds tracking active ransomware campaigns against airport and port authority infrastructure. In the weeks prior to August 24, 2024, FlySafe's indices may have registered an elevated Operational Disruption Risk score for KSEA based on three converging signals: (1) Rhysida RaaS activity surge with documented targeting of US public-sector entities, (2) regional incident clustering in Washington State public infrastructure, and (3) the late-August peak-volume window historically correlated with opportunistic ransomware timing. A KSEA Cyber-Operational Advisory may have been issued to subscribed operators — Alaska Airlines, Delta, and freight carriers — recommending review of manual check-in contingency plans, passenger communication templates, and ground crew staffing buffers for the Labor Day window. No prediction of the specific attack date or vector is claimed; what FlySafe provides is elevated risk awareness that enables operators to pre-position contingency resources before the event, not scramble for them afterward.
The TSA's 2023 cybersecurity amendments to aviation security programs recognized this convergence formally — but regulatory compliance timelines lag threat actor timelines. For operators making network planning, scheduling, and crewing decisions in real time, the relevant question is not whether a given airport is TSA-compliant but whether its current threat posture warrants contingency activation. FlySafe treats cyber incidents affecting ICAO-designated airports as first-class airspace risk events, alongside meteorological, geopolitical, and NOTAM-category threats — because from the perspective of a flight departing or arriving at an affected airport, the operational consequence is identical.
Sources
- Port of Seattle — Cybersecurity Incident Update, September 2024. Official incident timeline and breach notification communications from the Port of Seattle communications office.
- BleepingComputer — Rhysida Ransomware Claims Seattle-Tacoma Airport Attack. Technical analysis of Rhysida's leak site posting and exfiltration claims, including dataset scope and Bitcoin ransom demand documentation.
- The Seattle Times — Sea-Tac Airport Cyberattack: What We Know. Ground-level reporting on passenger impact, airline response, handwritten boarding pass documentation, and Port of Seattle executive statements.
- CNN — Seattle Airport Hit by Ransomware, Passengers Get Handwritten Boarding Passes. National coverage of operational disruption scope and airline contingency procedures during the initial attack window.
- FBI / CISA — Advisory on Rhysida Ransomware Group (AA23-319A), November 2023. Joint advisory detailing Rhysida's TTPs, targeting patterns, double-extortion methodology, and critical infrastructure sector focus including government entities.
This is a retrospective analysis of publicly documented events. FlySafe's prediction system was not operational during this event. All information is sourced from public records, aviation authority publications, airline statements, and open data.