Summary: The Brain Cipher ransomware group has begun leaking sensitive documents stolen from Rhode Island’s RIBridges social services platform, affecting approximately 650,000 individuals. This breach exposes personal information, including names, addresses, and Social Security numbers, raising significant concerns for the impacted residents.
Threat Actor: Brain Cipher | Brain Cipher
Victim: RIBridges | RIBridges
Key Point :
- RIBridges is an integrated eligibility system used for managing social assistance programs in Rhode Island.
- The breach was confirmed on December 10, 2023, after Deloitte notified the state of unauthorized access.
- Stolen data includes personal information of both adults and minors, prompting state officials to advise credit monitoring.
- Governor McKee confirmed that some files were released on the dark web, urging residents to protect their personal information.
- Brain Cipher began its operations in June 2024 and has gained notoriety for its ransomware attacks.
The Brain Cipher ransomware gang has begun to leak documents stolen in an attack on Rhode Island’s “RIBridges” social services platform.
RIBridges is an integrated eligibility system (IES) used by the state to manage and deliver social assistance programs, including healthcare, food assistance, child care, and other services.
Rhode Island first learned that RIBridges was the target of an attack on December 5 after being notified by its vendor, Deloitte. However, it wasn’t until December 10 that it was confirmed that threat actors gained access to the system and likely stole data.
“On December 10, the State received confirmation from Deloitte that there had been a breach of the RIBridges system based on a screenshot of file folders sent by the hacker to Deloitte,” reads a statement from the government.
“On December 13, Deloitte confirmed there was malicious code present in the system, and the State directed Deloitte to shut RIBridges down to remediate the threat.” continued the statement.
Last week, the Brain Cipher ransomware gang began leaking some of the stolen data on its data leak site.
Cybersecurity researcher Connor Goodwolf downloaded the data and claims it contains the personal data of both adults and minors.
“The ransomware group Brain Cipher has released the breach data from the Deloitte RIBridges hack, containing PII of not just adults but minors,” tweeted the researcher.
Based on screenshots shared by GoodWolf, the stolen files consist of numerous archives containing what appear to be Oracle databases, backups, and other data.
Goodwolf was previously sued by the City of Columbus for sharing samples of data stolen from the City’s IT network and leaked by the Rhysida ransomware gang. That lawsuit has since been dismissed.
In a statement released earlier this week, Governor McKee confirmed that some data was released on the dark web.
“Deloitte informed us that the cybercriminal released some RIBridges files on the dark web. While IT teams are working diligently to analyze the files, the most important thing Rhode Islanders can do is protect their personal information now,” tweeted McKee.
It is believed that approximately 650,000 people were impacted by the breach and may have had their names, addresses, dates of birth, Social Security numbers, and certain banking information exposed in the attack.
Due to this data’s sensitive nature, state officials advise Rhode Islanders to freeze and monitor their credit for fraudulent activity. It is also advised to be on the lookout for targeted phishing scams utilizing the stolen data that may attempt to steal further information.
Brain Cipher is a ransomware gang that began conducting attacks in June 2024, with the group gaining media attention after it attacked Indonesia’s temporary National Data Center.
The ransomware gang utilizes an encryptor created using the leaked LockBit 3.0 builder and uses a data leak site to extort victims into paying a ransom demand.
At this time, the Brain Cipher data leak site is offline and the leaked data is not accessible. However, their Tor negotiation page continues to work, potentially indicating that the data leak site is under a DDoS attack to prevent the dissemination of stolen data.