By 6 a.m. on the morning of Wednesday, June 2, Sean Driscoll knew something was wrong. When he checked his in-box, not one email had arrived overnight. “That’s always a bad sign for a communications director,” says Driscoll, who works for the Massachusetts Steamship Authority, the state-run operator of the only ferries equipped to carry cars between Cape Cod and the islands of Martha’s Vineyard and Nantucket. Driscoll and his colleagues discovered that the Steamship Authority’s ticketing website was down too. It was two days after Memorial Day, a time of year when the boats are suddenly packed with Vera Bradley–toting summerhousegoers and weekenders. By evening, cars stretched from Tisbury to Oak Bluffs, taking their chances in hopes of going standby aboard a ferry at Vineyard Haven, as Steamship agents wrote out tickets by hand.
The ferry company’s scrambling employees soon realized they had been hit by a ransomware attack — a cyber hijacking in which criminals seize control of an organization’s data and demand cryptocurrency payment for its release. The hackers struck at a particularly vulnerable moment: During the pandemic, ferry ridership sank 30 percent, crew members were hit by COVID outbreaks, and the Steamship Authority racked up a deficit of more than $12 million, requiring a federal bailout. With tourists finally flocking back to down lobster rolls and slurp oysters around the hydrangea-lined streets and dunes on the islands where Jaws was filmed, the company was counting on a bumper summer season. “Whatever normal is, we were headed there,” says Driscoll. “And then two days after Memorial Day weekend, here we are. It was like, Okay, well this is next.”
Indeed, even as the economy crawls back to health, more and more companies and institutions are grappling with business crises resulting from ransomware hacks. While cyberattacks have threatened businesses for years (remember North Korea’s Sony Pictures hack of 2014?), they’ve often escaped public attention, as companies sweep them under the rug. But the problem seems to have reached a new phase in 2021, as millions of Americans — not just aspiring Vineyard beachgoers — have been directly affected. In the month preceding the ferryboat attack, ransomware shut down a major pipeline carrying gas to the East Coast, resulting in widespread panic-buying and shortages at the pump, while another breach took out major meat plants, pressuring hamburger supply just as summer-barbecue season kicked off. Last year, $412 million in cryptocurrency was paid to ransomware perpetrators, more than quadruple the amount the prior year, and this year is on track to surpass that total, according to Chainalysis, which traces bitcoin payments on the blockchain. On the same day the Steamship Authority was hit, the White House issued a memo urging corporate executives to protect themselves against ransomware. The U.S. Department of Justice is now reportedly investigating ransomware attacks as seriously as terrorism.
On Martha’s Vineyard, the hackers — who tend to be based in Eastern Europe or affiliated with unfriendly nations like Russia or Iran, though investigators have yet to confirm their identity in this case — created a chain reaction of chaos and uncertainty among seafaring commuters and leisure passengers alike. Down by the ferry docks in Vineyard Haven on the day of the hack, cars lined up in every direction in the area known as Five Corners, as Steamship agents manually checked reservations on pieces of paper printed the night before. Agents only accepted cash, and boats were all running late. Some guests heading out to the island for a wedding that weekend were simply waved on for free. Others who were trying to book transportation for their summer trips were relegated to standby, unable to get through on the phones or too far away to drive down to the ticket offices. Lucy Huber, a Boston-based humor writer and editor at McSweeney’s, was trying to reserve space for her car to attend her cousin’s wedding in mid-June. The Steamship Authority’s website was useless, displaying only a vague message referring to an “incident.” “I was like, What? Did the ferry sink?” Huber says. (The ferryboats themselves and navigation systems were unaffected by the attack, according to the company.) Ultimately, Huber boarded the ferry on foot, pushing a baby stroller in the rain for 30 minutes to get to the event.
The question occupying the minds of both locals and the summer set, though, is why foreign cyberattackers would prey on the main mode of transport to two tiny islands that stretch, respectively, 14 and 26 miles long. Tom Lenhart, a Connecticut resident who has been looking forward to a Vineyard vacation for two years, says the ransomware felt like “a real punch in the gut,” threatening to derail his plans for the second year in a row. “It was a pain in the butt for me, being a tourist or occasional visitor, but for somebody who relies on it, that’s messed up,” he says. But he still doesn’t understand how the hackers landed on the ferryboat operator. “It just seems so random,” he says. “Really? These guys? Come on.”
Still, many Vineyarders seem to have met the news more with resignation than surprise. After all, the island has become known more and more as an offshore summer retreat for current and former presidents and a wide array of celebrities and billionaires. “Martha’s Vineyard is so high-profile now, and that’s why I think they got hit,” says Robin Canha, a fourth-generation Vineyard native and former gallery owner whose father worked for the Steamship Authority for nearly a half-century. “That whole attitude about the Vineyard is a playground for the wealthy. They picked on the Vineyard because of the notoriety.” (Ironically, the islanders point out, the truly wealthy don’t take the ferry but rather alight from planes, sailboats, and yachts.) The Steamship Authority, for its part, doesn’t know why it was targeted either. “You can drive yourself crazy doing nothing but wondering about that stuff,” Driscoll says.
Investigators who specialize in ransomware say the hackers care little about exacting revenge on the ultrarich or making any sort of political statement against capitalism or whatever else. “They think like a business: How do I earn the most amount of money in the least amount of time with the least amount of work?” says Bill Siegel, co-founder and CEO of Coveware, one of the leading ransomware-response companies, who negotiates with cybercriminals on behalf of victims.
Ten days after announcing the breach, the Steamship Authority said its ticketing system was back online, and ferry travel largely returned to normal. Still, after weeks of mystery, the Steamship Authority finally confirmed this week that, in fact, it did not pay the ransom to recover its data. Calling the hack a “criminal act,” the ferry operator said in a statement that it was working with law enforcement to investigate what had happened. “Although that investigation is ongoing, we do want our customers and the public to know that the Steamship Authority did not pay a ransom or engage with the cybercriminals,” Robert B. Davis, the general manager of the company, said in the statement.
Customers seem to broadly support this approach. “Any time I talk to them on the phone, I’m like, ‘Do not pay this,’” says Canha, who took the 45-minute ferry between the Vineyard and the Cape several times since the attack. “And they were like, ‘Hell no! Just not going to do it.’” Ticket agents have told passengers who ask about the attack that they’re focusing on rebuilding their system. When the Steamship Authority ticket website finally went live again, it was extremely similar to the original — down to a long-standing glitch that makes it hard to change a single leg of a round-trip reservation. “I don’t know if they’ll ever get it fixed,” says Canha.
But there is still some murkiness to the saga. Ransomware targets end up forking over the crypto in roughly 30 percent to 60 percent of cases, according to Siegel and others who assist victims, and at least some observers question whether some payment might not have been made in this case. One puzzling data point is the website’s ten-day downtime, which experts suggest is longer than it would typically take to restore service from backups, but shorter than it would take to rebuild from scratch. “That was pretty quick, so then I would assume that they paid the ransom,” says Pamela Clegg, VP of financial investigations at CipherTrace, a blockchain-analytics company that tracks crypto payments to illicit groups. (While the Steamship Authority says it successfully restored “most” of its services, certain functions are not available, and Driscoll says he still has no access to emails predating the attack.) In the case of Colonial Pipeline and beef producer JBS, both companies restarted operations within the span of a week, but only after paying $5 million and $11 million in bitcoin ransoms, respectively. “It was one of the toughest decisions I have had to make in my life,” Colonial’s CEO, Joseph Blount Jr., testified to the Senate this month. In the case of the Colonial ransom, the federal government announced it was able to seize at least a portion of the bitcoin in question (exactly how isn’t yet clear).
While hackers are often very willing to haggle and lower their prices, in some cases they’ve also obtained access to a company’s financial statements. “They know exactly how much cash you have in your bank account,” says Tom Hoffman, SVP of intelligence for Flashpoint, another ransom-negotiating company. “So it complicates negotiations at that point.” And even after paying a ransom, the process of unlocking encrypted data can be complex and time-consuming, and hackers return it in varying states of disarray. “We’ve had examples where for some of the larger payments, the group came back 24 hours later, wanting to check in on how the decryption process was going, if there’s anything else they could do to help,” adds Hoffman.
The Steamship Authority has plans in place in the event of a communications blackout – the sort that might be caused by a major hurricane. But it’s hard to say if those plans were enough to prepare it for this kind of disaster. Last year, the ferry operator posted a job opening for a “computer technician” whose responsibilities included backups and restoring files and databases; the listing remains up.