Ferry ransomware attack remains unsolved

Weak cyberdefenses found at Steamship Authority. 

1
Vehicle and walk on passengers at the Vineyard Haven Steamship Authority terminal in 2021 waiting to purchase tickets by cash and receive handwritten receipts. —MV Times

When the Steamship Authority was hit by a ransomware cyberattack on June 2, 2021, it hampered operations for a week, preventing customers from booking reservations online or by phone, and forcing staff to use pen and paper, and accept only cash, at ticket offices.

The ferry line systems were gradually fixed, and the SSA announced they were fully restored on June 30, 2021. It said it paid no ransom, and that customers’ private data were not breached

Three years later, the case remains unsolved, and the ferry service has come under fire for inadequate cyber defenses.

In an audit report issued on Feb. 5, the Massachusetts Office of the State Auditor concluded the SSA had an “undocumented cybersecurity awareness training practice.” 

In 2020 and 2021, the audit found, 662 SSA employees and 114 new hires were required to take cyber-defense training courses. But more than 70 percent of the regular employees and more than half the new hires did not complete the courses within a year, it said. 

In November 2019, the SSA began requiring employees to complete online cybersecurity awareness courses about electronic communications, email, and phishing, and safeguarding personal information, the report said. 

But it found that the SSA failed to ensure that employees did so, and the ferry service lacked a “formal, documented cybersecurity awareness program that includes knowledge checks, monitoring, and updates as needed.”

The report said some employees did not have access to a computer to complete the training. 

It recommended the SSA follow Massachusetts Executive Office of Technology Services and Security standards for information-security risk management, including giving employees 30 days — not a year — to complete the courses.

Failure by the SSA to tighten its training protocols could lead to a higher risk of cyberattacks and “financial and/or reputational losses,” it warned. 

Sean Driscoll, the SSA communications director, said the ferry line was already updating its cybersecurity training when the audit was released. The SSA said it had distributed more laptops to its offices and vessels for training. However, he declined to provide further details. 

Authorities also remain close-mouthed about the 2021 attack. The FBI last month rejected a Freedom of Information Act request from The Times for records, including any analysis or conclusions, from its investigation. 

In a letter, the bureau said an investigation is still pending, and “release of the information could reasonably be expected to interfere with enforcement proceedings.”

The federal Cybersecurity and Infrastructure Security Agency defines ransomware as “a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”

Sen. Edward Markey (D-Mass.), considered an expert on telecommunications and technology in Congress, initially blamed Moscow for the cyberattack. 

“No one would have ever imagined that the Russians would attack the Steamship Authority,” he told a 2021 press conference. He soon backtracked, and authorities have not publicly identified any suspects. 

Markey and Rep. Bill Keating (D-Bourne) did not respond to a request for comment this week. An aide to Sen. Elizabeth Warren (D-Mass) declined comment. 

Doug Domin, supervisory special agent at the FBI’s Boston division, told The Times that investigating a cybercrime like ransomware can take years. 

According to the FBI’s Internet Crime Complaint Center, the bureau received 9,915 complaints about cybercrimes in Massachusetts in 2023 that cost $235.89 million in losses. Cybercrimes include data breaches, phishing, and credit card fraud, among other crimes. 

Only 11 states had more complaints, but Domin said cybercrimes are almost certainly underreported. “What we see is a fraction of the totality of the victims out there,” he said. 

Domin said the FBI’s Boston division receives three to four ransomware complaints per week from victims in Massachusetts, Rhode Island, New Hampshire, and Maine. 

Massachusetts residents were victims of 77 ransomware attacks in 2023, FBI statistics show, although no money was paid. 

Cyber criminals take advantage of weaknesses in phones and other devices, and rely on social media or other online networks to gather information, Domin said. Martha’s Vineyard is an especially alluring target, given its global reputation as a wealthy enclave. 

“Martha’s Vineyard may not be as rural online as they may be geographically,” Domin said. 

Last month, the SSA board held an executive session to discuss the long-delayed new website, as well as cybersecurity concerns. 

“It’s not anything that ever stops,” Driscoll said. “It’s a constant race with bad actors.” 

Domin said people targeted by cyberattacks, including ransomware demands, should contact the FBI. He recommended cisa.gov/stopransomware for more resources.