NYC’s Subway Operator and Martha’s Vineyard Ferry Latest to Report Cyberattacks

On Wednesday, a ransomware attack disrupted ferry services in Massachusetts. New York’s Metropolitan Transportation Authority also revealed Wednesday that it had been hacked in April, although the attack didn’t disrupt operations, including the city’s subway system.

In May, the operator of an essential pipeline bringing gasoline to parts of the East Coast paid about $4.4 million to regain control of its operations and restore service.

San Diego-based Scripps Health said Tuesday that it is still recovering from a cyberattack it discovered on May 1 that disrupted its patient portal, electronic medical records, radiology and other systems and canceled or delayed appointments at its hospitals and clinics.

Emboldened by recent successes, hackers have shifted their focus away from data-rich companies such as retailers, financial institutions and insurance companies to providers of key public needs such as hospitals, transportation and food. The trend is part of a global criminal pivot from stealing data to hobbling operations via ransomware, where companies are hit with demands for million-dollar payments to regain control of their operating systems.

President Biden said Wednesday he would look closely at whether to retaliate against Russia for the attacks. The president plans to bring up the problem of ransomware during a summit with Russian President

Vladimir Putin

in Geneva planned for June 16, the White House said. Russian officials didn’t immediately respond to a request for comment.

Security professionals whose business is helping companies and organizations protect and manage against these attacks have warned that it is only likely to get worse.

“Pharmaceuticals, hospitals, healthcare, public companies, organizations that don’t have the talent and skills to defend themselves—they’re getting sucker punched,”

Kevin Mandia,

chief executive of cybersecurity firm FireEye Inc., said Wednesday during a Wall Street Journal cybersecurity conference.

Department of Homeland Security officials issued fresh warnings Wednesday about the importance of guarding against ransomware.

“The threat of ransomware continues to be severe. Ransomware can affect any organization in any sector of the economy,” said Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, a part of DHS. “All organizations should urgently review our available resources and implement best practices to protect their networks from these types of threats.”

The potential for profit from ransomware coupled with an explosion in remote working during the Covid-19 pandemic provided both the incentive and the means for a ransomware boom, said

Adam Meyers,

vice president of intelligence with the cybersecurity firm

CrowdStrike Inc.

CRWD -0.67%

Companies that previously considered themselves to be unlikely targets of data breaches have increasingly found themselves in the crosshairs of ransomware.

Before 2018, hackers considered data-rich companies such as financial services companies, retailers and insurance companies to be prime targets, but they have shifted their focus because of the financial incentive from ransomware payments. Previously, they would seek to make money using data for identity theft, but ransomware provided an opportunity for industrial-scale hacking and payouts that could be made quickly in hard-to-trace cryptocurrency such as bitcoin, security professionals say.

When ransomware disabled operations at aluminum and energy giant

Norsk Hydro AS

NHYDY 0.15%

in 2019, it was a wake-up call for the cybersecurity industry, said David Navetta, a partner with the law firm Cooley LLP’s cybersecurity practice.

“They’re hitting everybody,” he said. “Any company that relies on their information technology to provide a good or a service is a target. We’ve seen manufacturers; we’ve seen chemical companies; we’ve seen nontraditional targets being hit more frequently than four or five years ago,” he said.

The Massachusetts attack disrupted bookings at the Steamship Authority, the largest ferry operator linking passengers and freight from the mainland to the islands of Martha’s Vineyard and Nantucket. Boats were able to continue sailing to the two islands, where the populations swell during the summer, but the ferry operator said customers were unable to book or change their vehicle reservations either online or by phone.

Hackers launched a cyberattack in April on New York’s MTA and accessed three of 18 computer systems used by the transit agency, although the breach had no impact on riders, employees or contractors, MTA officials said. The MTA hack was earlier reported by the New York Times.

DHS’s CISA, the National Security Agency and the Federal Bureau of Investigation notified the MTA of the breach in late April, MTA officials said. The transit agency was able to patch up the vulnerabilities the next day, MTA officials said.

A forensic audit turned up no evidence that any accounts were compromised, MTA officials said. No employee information was accessed, and no data was lost in the breach, they said. The hackers also didn’t make any financial demands, MTA officials said. The transit agency required password changes for about 3,700 employees and contractors as a precautionary measure, they said.

Scripps warned Tuesday that information on about more than 147,200 patients was exposed, possibly including clinical data and driver’s license and Social Security numbers. Last fall, ransomware groups knocked dozens of hospitals offline during a widespread campaign, and a September hack cost United Health Services Inc. $67 million.

—James Rundle, Tarini Parti and Paul Berger contributed to this article.

Write to Robert McMillan at [email protected], Joseph De Avila at [email protected] and Jacob Bunge at [email protected]