Rhode Island officials warn the data of hundreds of thousands of residents is at risk after a ransomware group breached the RIBridges social services database managed by Deloitte.
An international cybercrime group called Brain Cipher claimed credit for an attack on the system, which officials first disclosed on Dec. 5. The group threatened to leak data this week if their demands were not met, according to Deloitte and Rhode Island officials.
Deloitte informed Rhode Island officials on Dec. 13 about a major security threat to the RIBridges system, leading officials to take the system offline as a protective measure.
Deloitte confirmed that it has launched an investigation in collaboration with the state agency as well as law enforcement officials.
“While that investigation is ongoing, we have shown over the past decade our unwavering commitment to the State of Rhode Island and the people they serve,” a Deloitte spokesperson said via email. “We will continue to work around the clock to resolve this matter.”
The system, which supports Medicaid, Temporary Assistance for Needy Families and other programs, sits outside Deloitte's network and the consulting firm said none of its systems were impacted by the attack.
The hackers sent Deloitte officials a screenshot of some of the stolen information, according to Rhode Island officials. Deloitte officials also confirmed the presence of malicious code.
Rhode Island Gov. Daniel McKee confirmed the attack in a Saturday press conference and said officials were working around the clock to protect the data of state residents, working directly with the state congressional delegation, officials from the Cybersecurity and Infrastructure Security Agency and others to resolve the matter.
The data includes names, addresses, Social Security numbers, dates of birth and certain personal banking information.
The threat group, Brain Cipher, is considered a mid-tier operation that has been active since June of this year, according to Jim Walter, senior threat researcher at SentinelOne.
The group leverages the LockBit 3.0 builder for their ransomware payloads, Walter said. The group does not operate with the same volume of rivals like Play ransomware or Akira, but is considered a persistent presence in the ransomware landscape.
Brain Cipher previously claimed credit for an attack targeting the Indonesia national data center, among other targets.
The system includes personal data for residents enrolled in federal and state assistance programs, including Medicaid, Supplemental Nutritional Assistance Program, Rhode Island Works and health coverage purchased through HealthSource RI.
According to MS-ISAC, ransomware groups often operate using a multi-tiered extortion model. Data is stolen, encrypted and threatened with public release. Individual victims are often targeted with folllow-up extortion attempts.
“The latter is known to occur even when victim organizations pay the ransom,” MS-ISAC said via email. “Local governments, and especially those in social services, often hold highly sensitive data and provide critical functions, which makes them an attractive target for ransomware operators.”
