In what might be considered the first ransomware attack of its kind, the Play ransom gang claims to have successfully hit a maximum-security detention center in the Northeast state of Rhode Island.
The Donald W. Wyatt Detention Facility, located in the City of Central Falls, Rhode Island was listed on the threat actors dark leak site Tuesday evening.
The maximum-security facility at capacity houses over 700 adult males and 40 adult female detainees, according to Central Falls.
Detainees include those in custody by the US Marshals Service, the Federal Bureau of Prisons, the United States Navy, as well as those from the nearby Native American Mashantucket Pequot Reservation.
The threat group claims to have exfiltrated “Private and personal confidential data, clients documents, agreements, budget, HR, IDs, tax, finance information and etc.”
Play did not reveal the amount of stolen data it may have acquired from the Facility, instead cryptically posting three question marks “???” followed by a gigabyte symbol in the listing.
The gang also claims it will publish whatever data it has by a November 19th deadline.
Unlike a federal prison, the state detention center holds prisoners who have not yet been arraigned, have been denied bail, or are awaiting trial.
The private Facility is also governed by a board of directors appointed by the Central Falls Mayor, making it a quasi-public corporation.
Besides security systems and operations at the detention facility, files on inmates, especially those that may be found innocent, could supply the hackers with a treasure trove of information that could potentially be used to blackmail detainees in the future.
Additionally, for those inmates awaiting trial, sensitive documents could be used to sway legal proceedings and spur dozens of lawsuits against the Facility for failing to keep personal data secured.
Deemed part of the American Correctional Association (ACA), the Facility takes in prisoners from various jurisdictions, including the surrounding states of Connecticut, Massachusetts, New Hampshire, Maine, and Vermont.
Cybernews has reached out to the The Donald W. Wyatt Detention Facility, as well as the City of Central Falls, and is awaiting responses.
Play ransomware, also known as PlayCrypt, was first spotted since June 2022 and is suspected of having ties to Russia.
Since its emergence, the group has steadily claimed and published the data of roughly two dozen victims per month on its dark leak site, making its victim count well over 250.
The group often goes after mid-sized companies mainly from the US, Canada, Latin America, and Europe.
Most notably Play was behind the crippling month-long attack against the City of Oakland and the Palo Alto County Sheriff's office in California this past spring.
The gang is described as being inspired by the Hive ransomware group – which was infamously busted by the FBI in January – but has now just declared itself back in action as of this November 16th report.
A Symantec threat hunter blog from April showed Play had adopted two new custom-developed hacking tools allowing the hackers to “harvest data typically locked by the operating system.”
Play is also thought to be one of the first ransomware groups to use intermittent encryption, where only certain fixed segments of a system are encrypted, according to an Adlumin profile on the group from August.
The method allows for faster access and exfiltration of a victim's data, and it seems other notorious groups have since adopted the tactic, including ALPHV/BlackCat, DarkBit, and BianLian.
The Adlumin researchers also warned about a newly initiated global campaign targeting victims through their own security vendors, known as managed service providers (MSPs), in the finance, software, legal, and shipping industries.
Most recently the gang was seen exploiting remote monitoring and management software (RMM), as well as leveraging decades old known Fortinet firewall vulnerabilities.
More from Cybernews:
Subscribe to our newsletter