In what may be the first ransomware attack of its kind, the hacker group Play claimed to have breached the maximum security correctional facility in Rhode Island in the northeastern United States.
The Donald W. Wyatt Correctional Facility, located in Central Falls, Rhode Island, was listed on a darknet ransomware site on Tuesday night.
The maximum security facility accommodates more than 700 adult male and 40 adult female prisoners, including those held by the U.S. Marshals Office, Federal Bureau of Prisons, U.S. Navy, and from the Mashantucket Pequot Native American Reservation.
The group claims that they stole "personal confidential data, customer documents, agreements, budget, personnel information, identity cards, tax and financial information, etc."
Play did not disclose the amount of stolen data from the institution, instead cryptically posting three "???"question marks. follow the gigabyte symbol in the list.
The group also says it will release all the data it has by November 19.
Unlike a federal prison, a state correctional facility holds prisoners who have not yet been tried, have been refused bail, or are awaiting trial.
The private institution is also governed by a board of directors appointed by the mayor of Central Falls, making it a quasi-public corporation.
In addition to security systems and operations at the correctional facility, files about prisoners, especially those who may be found innocent, can provide hackers with a treasure trove of information that could potentially be used to blackmail prisoners in the future.
In addition, for prisoners awaiting trial, confidential documents can be used to influence court processes and provoke dozens of lawsuits against the institution for improperly ensuring the security of personal data.
The correctional facility, part of the American Correctional Association (ACA), accepts inmates from various jurisdictions, including the neighboring states of Connecticut, Massachusetts, New Hampshire, Maine, and Vermont.
Ransomware Play, also known as PlayCrypt, was first spotted starting in June 2022.
Since its inception, the group has regularly reported hacking and published data from about two dozen victims a month on its dark site, making the total number of victims more than 250.
The group most often attacks medium-sized companies, mainly from the United States, Canada, Latin America, and Europe.
Play's most famous attack was a month-long attack on the city of Oakland and the Palo Alto County Sheriff's Office in California this year.
The group is described as inspired by the Hive group, which the FBI eliminated in January but which claimed to be back in action as of November 16 of this report.
According to the Symantec threat hunter blog post from April, Play has adopted two new custom-designed hacking tools that allow hackers to "collect data that is normally blocked by the operating system."
Play is also considered one of the first groups of ransomware programs that use intermittent encryption, when only certain fixed segments of the system are encrypted, which allows faster access and withdrawal of victim data.
The group has recently been seen using remote monitoring and management (RMM) software, as well as exploiting known vulnerabilities in Fortinet firewalls.
Other high-profile victims of Play this year include cloud computing company Rackspace, German hotel chain H-Hotels and BMW France.
The Donald W. Wyatt Correctional Facility, located in Central Falls, Rhode Island, was listed on a darknet ransomware site on Tuesday night.
The maximum security facility accommodates more than 700 adult male and 40 adult female prisoners, including those held by the U.S. Marshals Office, Federal Bureau of Prisons, U.S. Navy, and from the Mashantucket Pequot Native American Reservation.
The group claims that they stole "personal confidential data, customer documents, agreements, budget, personnel information, identity cards, tax and financial information, etc."
Play did not disclose the amount of stolen data from the institution, instead cryptically posting three "???"question marks. follow the gigabyte symbol in the list.
The group also says it will release all the data it has by November 19.
Unlike a federal prison, a state correctional facility holds prisoners who have not yet been tried, have been refused bail, or are awaiting trial.
The private institution is also governed by a board of directors appointed by the mayor of Central Falls, making it a quasi-public corporation.
In addition to security systems and operations at the correctional facility, files about prisoners, especially those who may be found innocent, can provide hackers with a treasure trove of information that could potentially be used to blackmail prisoners in the future.
In addition, for prisoners awaiting trial, confidential documents can be used to influence court processes and provoke dozens of lawsuits against the institution for improperly ensuring the security of personal data.
The correctional facility, part of the American Correctional Association (ACA), accepts inmates from various jurisdictions, including the neighboring states of Connecticut, Massachusetts, New Hampshire, Maine, and Vermont.
Ransomware Play, also known as PlayCrypt, was first spotted starting in June 2022.
Since its inception, the group has regularly reported hacking and published data from about two dozen victims a month on its dark site, making the total number of victims more than 250.
The group most often attacks medium-sized companies, mainly from the United States, Canada, Latin America, and Europe.
Play's most famous attack was a month-long attack on the city of Oakland and the Palo Alto County Sheriff's Office in California this year.
The group is described as inspired by the Hive group, which the FBI eliminated in January but which claimed to be back in action as of November 16 of this report.
According to the Symantec threat hunter blog post from April, Play has adopted two new custom-designed hacking tools that allow hackers to "collect data that is normally blocked by the operating system."
Play is also considered one of the first groups of ransomware programs that use intermittent encryption, when only certain fixed segments of the system are encrypted, which allows faster access and withdrawal of victim data.
The group has recently been seen using remote monitoring and management (RMM) software, as well as exploiting known vulnerabilities in Fortinet firewalls.
Other high-profile victims of Play this year include cloud computing company Rackspace, German hotel chain H-Hotels and BMW France.
