SSA targeted in ransomware attack


Updated at 5:30 pm

The Steamship Authority is the target of a ransomware attack, which has disrupted its website and reservation system — disruptions SSA officials now expect to continue into Thursday, according to an update Wednesday evening.
In an emailed statement Wednesday morning, Sean Driscoll, SSA spokesman, wrote that the SSA “has been the target of a ransomware attack that is affecting operations as of Wednesday morning. As a result, customers traveling with us today may experience delays. A team of IT professionals is currently assessing the impact of the attack. Additional information will be provided upon completion of the initial assessment.”

The email from Driscoll came from an unfamiliar address. He told The Times in a text message, the SSA’s email system is down.

This morning, as customers boarded, a purser was unable to scan cards, and vehicles were not issued a boarding pass. 

In an update at 12:30 pm, Driscoll wrote that the issue remains unresolved and under investigation. “The Authority continues to work internally, as well as with federal, state, and local authorities, to determine the extent and origin of the attack,” he wrote. “There is no impact to the safety of vessel operations, as the issue does not affect radar or GPS functionality. Scheduled trips to both islands continue to operate, although customers may experience some delays during the ticketing process.”

An alert on the SSA’s reservation page alerts customers to the problem. “Unfortunately, we have run into an error we were unable to recover from,” the alert states. “We’ve been notified of the error, and will look into it right away. In the meantime, feel free to hit back and try again.”

But that will only result in futility.

“Customers are currently unable to book or change vehicle reservations online or by phone. Existing vehicle reservations will be honored at Authority terminals, and rescheduling and cancellation fees will be waived,” Driscoll wrote. “If traveling with the Authority today, cash is preferred for all transactions. The availability of credit card systems to process vehicle and passenger tickets, as well as parking lot fees, is limited. Additional information will be provided as it becomes available.”

Jim Malkin, the SSA’s Vineyard representative, said whoever the people are behind the attack, they are criminals. 

“Technology has brought some good to the world and some bad,” Malkin said. “And this is bad, and the Steamship Authority, like many other businesses in the U.S. and across the world, is dealing as best they can, as quickly as they can, with the havoc wreaked by these criminals.”

Gwyneth Wallace commented on The Times Facebook post, saying, “Scary! I’m in standby and had to pay cash — couldn’t process a credit card. That being said, boats, loading etc., is still running smoothly.”

At around 5:15 pm Wednesday, the SSA issued an update saying they continue to work with their internal team, as well as local, state and federal officials on the attack. “At this point, we are unable to release or confirm specific details of what occurred,” Driscoll wrote. “The ticketing processes, including online and phone reservations, are expected to continue to be affected on Thursday, June 3, 3021.”

He reiterated that the SSA will honor existing reservations and will reschedule trips without fees.

“Scheduled trips to and from the islands continue to operate safely as scheduled, although some delays in the ticketing process may occur,” Driscoll wrote. Driscoll customers to be prepared to use cash on Thursday.

“We thank our customers for their patience today, and we thank our employees for their hard work and grace under pressure,” he wrote.

According to Petty Officer Amanda Wyrick, a spokesperson for the U.S. Coast Guard, the agency has been briefed on the situation. The Massachusetts State Police Cybersecurity unit is taking the lead in the case, she said.

According to the Cybersecurity and Infrastructure Security Agency, “ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable,” usually with a demand of some form of payment. The attacker may threaten to leak or sell stolen data if the ransom isn’t paid. Ransomware attacks have been an increasing cyber threat. According to the Guardian, the Colonial Pipeline was hit by a ransomware attack by the East European group called Darkside in May, and the collective hacker group called REevil hit the world’s largest meatpacking company, JBS, with a ransomware attack on Wednesday, according to CNBC. The recent attacks with societal consequences, such as the Colonial Pipeline and the oil shortage, have come with calls to improve cybersecurity measures by President Joe Biden.

Adam Darack, an information technology specialist on the Island, said ransomware is scary stuff. “Technology is a double-edged sword. It’s scary, especially with major transportation hubs, like the SSA,” he said. “Everybody is a target, for sure. Certain targets are juicier than others, unfortunately. This is the type of stuff that keeps us up at night.”

In a tweet, state Rep. Dylan Fernandes, D-Falmouth, wrote that he’s been in touch with the State Police and SSA, and is monitoring the situation. “The boats are not impacted and passenger service remains as scheduled, but may experience delays,” he wrote.

Updated with the latest from the SSA. Reporter Rich Saltzberg and intern Eunki Seonwoo contributed to this story.


  1. Perhaps this ransomware attack will lead the SSA to stop gouging residents (why, oh why do I need to pay for 2 parking passes for 2 cars when we could just rotate using 1) and stop raising prices to untenable levels…Is there any government oversight into how much/often they raise these prices, and their rules?

      • What will it cost to make the SSA hacker proof?
        Either way it is just another cost of doing business.
        Like stores and the ‘inventory shrinkage’ problem.
        There is no such thing as zero

    • I do not see how this attack was precipitated by, or would be relieved by, any variance or nonvariance in their prices. Ransomware attacks happen because a) someone didn’t know what not to do, at the same time as b) the company wasn’t prepared to react to it.

      Whether they pay the ransom will depend on a combination of their particular backup policies, how well those policies were followed, and how much transactional data loss they’re willing to accept.

      If they do pay it, then perhaps we can hope that they have insurance for that…

      • It was a bit tongue in cheek, I am aware that this has no correlation with their prices.

        It’s just generally appalling to me how they operate, how they put islanders at a disadvantage, and they effectively have a legal monopoly to treat customers poorly and raise prices to their heart’s content.

  2. Adherence to best practices that have been established among computer nerds since the 1960s would have prevented any such attack from doing meaningful damage, and even the most basic modern “internet stranger danger” training would have prevented it from happening at all.

    I’m sure the consultants are explaining this to the SSA brass as we speak, and I don’t doubt that Adam has it well in hand. Still, if you need additional experienced I.T. hands, please feel free to reach out to me.

      • I’m currently an infrastructure & automation analyst for a company that sells high-end websites to high-end schools. I work full time remote from Chappy.

        If you’ve had any contact with the I.T. world then you know that our titles tend to be almost as nonliteral to ourselves as they are to laypersons. In reality, these days I’m mostly doing network architecture, and automated remote server and laptop management.

        This incident is not, ultimately, a security event, although that’s surely how it seems in the moment. It’s a failure of architecture, and to a lesser extent it’s a failure of personnel training.

        Somehow, some bit of malware got in. Unless browsing the web is absolutely prohibited – and prevented via infrastructure – not to mention any accessible USB ports and DVD-ROM drives hotglued shut, then employee discipline is the only thing stopping malware intrusion. Even in highly technical shops, it happens now and then. It’s not inevitable, but it’s hard to stop, and carries a cost of morale to do it with stern policies alone. There are training resources out there, but this isn’t the real breakdown.

        It’s the next step and the step after that caused the trouble. The malware (ransomware, in this case) was able to affect files that were crucial to operations, and that’s where the system designer failed to put sufficient barriers in place. It’s not supposed to be possible for one errant workstation to do that sort of damage to a shared resource; alternately, this is why one isn’t supposed to log in to the central server and browse the web, or even play solitaire.

        The final and most serious failure was the lack of appropriate backups. To be fair, in the SSA’s case, this is sure to be a hard and pricey problem. To gain the ability to roll back to the state before the infection, very frequent backups are needed, plus a rolling log of recent transactions so that those last few minutes of reservations can be manually fixed.

        In short, preventing this from happening again isn’t the job of security personnel, it’s the job of competent systems architects and software developers.

        Chasing security, in this case, is endless whack-a-mole that’s not going to solve the problem in the long run, but will cause lots of pain in the short term. This is not a case where an ounce of prevention is worth a pound of cure. This is a situation where the recovery plan should be among the very top business priorities, and the data systems designed around it.

      • It occurs to me that my long reply seems to contradict some things I said in my first post.

        The best practices I spoke of are, particularly, the importance of backups, and a backup strategy that’s tailored to the needs of the operation; and the general principle of least necessary privilege driving architectural design decisions. That’s not something one can buy off a shelf after the fact – it’s got to be in the forefront of one’s mind all the time. In this case, it seems like some retro-engineering would be necessary.

        About the “stranger danger” comment. What I meant was, knowing what not to click on. There’s a company out there, “knowbe4”, that does training and then sends fake attacks to employees to make sure they know phishing and social engineering attempts when they see them. It’s my belief that this crippling of operations most likely resulted from someone clicking on a link they shouldn’t have, or sticking a USB stick or DVD into a computer that they shouldn’t have. That sort of training would surely help the odds of that happening, but it isn’t an absolute. Draconian policies can be an absolute, but they’re no fun to live under, and they’re most often seen in environments where uniforms and rifles are the final layer of security.

        Another possibility is that some remote exploit let a bad guy gain administrative control over a critical computer. By “remote exploit” I mean a flaw in the server’s operating system or application software. These inevitably crop up in all software; frequent patching closes vulnerabilities once they’re found, but there’s always a window of weakness, and the possibility of new flaws being discovered and exploited before a fix is available. This is where resilient architecture comes into play.

  3. One wonders what the IT staff, and the SSA management to whom they report, we’re doing when they should have been planning for, and preventing, this attack.

    • They were probably screaming for the necessary budget, either in time, money, or both.

      It’s regrettably common for businesses to see the I.T. department as a sunk cost, like janitorial or secretarial labor; something you just have to do to be in business. The most successful and dynamic ventures view their I.T. department as a core enabler of the business, a strategic partner in their own right.

  4. One wonders how much it would cost to make the SSA hack proof?
    The technology already exists.
    Pencil and paper.
    Tin cans and string.

    • I’d have to see what exactly they’re running. Guessing they have a fairly large dataset and a substantial fleet of servers, it could be anything from a quarter million to a handful of millions to implement a rolling snapshot strategy that could turn back time to the hour before the next attack.

      That’s a stopgap, even if it is a good one. A more proper strategy would analyze their technology stack in its entirety, and make architectural changes to improve fundamental resilience against any sort of attack, while minimizing the backup/restore requirement.

  5. Well, the cyber security “experts” have been sounding the alarms for years.
    Not much has happened on the federal level for the last 5 years.
    We have lost valuable time. We have snoozed– and we have loozed —
    For those of you who think the internet and cyber security issues should not be included in President Biden’s infrastructure plan, please think again.

  6. As an IT professional with more than 40 years of experience, my heart goes out to the SSA IT staff. Ransomware attacks have been increasing in sophistication, frequency and reach *exponentially* in the last six months; technological defenses and budgets to deploy them have not kept up with that pace. Even the best run, best staffed and best funded IT departments are vulnerable to attack, and even if you have the best contingency and recovery plans, losing your entire network in a matter of minutes it takes time to sort through the wreckage, find out the source and neutralize it – otherwise your recovery will be moot – and reset everything. This is not a lone home computer we are talking about but sophisticated interconnected systems, you can’t just wipe and restore from backup. Many, many people will be working 24 hour shifts to get the SSA systems back up, cut them some slack.

    • I don’t wish to dispute most of what you’ve said, but in fact wiping and restoring from backup is exactly how these things are dealt with. The only alternative is paying the ransom. “Not letting it happen” is impractical. It’s just a lot of separate backups all at once, and yes, vastly more complicated than a single PC.

      It’s entirely possible to have one’s production operations set up so that all 300 (or however many) servers can be rolled back to the state they were in 6 hours ago, operating systems and data, the whole nine yards, and fairly quickly.

      It takes a great deal of pre-planning to pull something like that off, of course.

      • The detail is in the “fairly quickly”, how long is that, it is never ever instantaneous. And as I said before, just rolling back without detecting and neutralizing the source of the attack internally, which could have been dormant for weeks or months before triggered just exposes you to reinfection, just like paying the ransom does not guarantee they wont hit you again.

        • “Fairly quickly” in the context of a multi-terabyte database could mean a few minutes, with the right technologies in place. I used to work for a company that built exactly that.

          You’re correct that rollback alone isn’t really enough to guarantee a clean state. What one really needs is known-good, read-only operating system images for each class of server, hourly backups of the data sets, and a human-readable rolling transaction log to deal with that last partial hour. All of that needs to be kept on isolated systems that aren’t vulnerable to infection – which really isn’t hard. Just don’t use Microsoft products. Nearly all viruses are written for that platform, and most of the rest are written for Mac.

        • Let’s also point out the opposite of “fairly quickly”: how long it’s taking the SSA to recover from this particular attack.

  7. Trump’s fault, too easy on Russia!! Joe has been brutal on Russia! Believe this and I have a bridge to sell you!! Hope you all are enjoying Joe and Camilla!!!

    • The Vice President’s name is Kamala Harris. Camilla is Duchess of Cornwall, married to Prince Charles. Informed people know the difference.

      • Informed people Jackie know that Camilla was a snare to Charles and broke up the marriage with Diana and informed people know that Kamala had a liason with the Mayor of SFO who was married. Yes estranged but still married. The parallels are there.

    • Actually, Joe– there has been considerable concern about this for years. if you are going to blame a president for this one, (which is of course ridiculous) blame trump. He couldn’t figure out a way to make money from this stuff, so he denied and ignored it

  8. The SSA has held islanders “ransom” for years, with substandard boats, flaming transport busses, extortionate ticket costs.
    What’s the difference between that and this “ransom ware” attack?
    The hackers will probably run the SSA better than the SSA has.

Comments are closed.