Full Report
Rhode Island officials said they're still analyzing the impact of a ransomware gang's breach of state health and social services systems. Some are still down.
Analysis Summary
# Incident Report: Rhode Island State Services Ransomware and Data Leak
## Executive Summary
The State of Rhode Island experienced a ransomware attack that compromised state digital platforms, specifically those managed by vendor Deloitte, including the RIBridges social services system and HealthSource RI marketplace. The attackers, identified as the Brain Cipher ransomware gang, subsequently leaked a portion of the stolen data onto the dark web. The incident severely impacted access to crucial benefits and services, requiring extensive remediation and public notification efforts.
## Incident Details
- **Discovery Date:** Not explicitly stated when the initial breach occurred, but the **State was preparing for the scenario on December 1st** (implied before Dec 31st notification).
- **Incident Date:** Data exfiltration occurred "last month" relative to the late December/early January reporting period. Deloitte notified the state on **December 5th**.
- **Affected Organization:** State of Rhode Island (via systems managed by Deloitte: HealthSource RI and RIBridges).
- **Sector:** Government / Public Services
- **Geography:** Rhode Island, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Ransomware, targeting systems built by Deloitte for the state.
- **Details:** The precise initial access vector is not specified in the summary, only that the attack targeted state systems hosted or managed by Deloitte.
### Lateral Movement
- **Details:** Not explicitly detailed, but the scope included the RIBridges system, suggesting compromise extended to systems holding sensitive personal data.
### Data Exfiltration/Impact
- **Details:** An unknown volume of data was stolen. The attackers, Brain Cipher, later leaked some of this data onto the dark web. Affected data likely includes names, addresses, DOBs, SSNs, and banking information for up to 650,000 users.
### Detection & Response
- **How it was discovered:** Deloitte informed the state on December 5th that the attack targeted the systems they built for the state.
- **Response actions taken:** The state launched a statewide outreach strategy on December 1st (implied pre-discovery or preparation), is working with Deloitte to analyze the files, is generating a list of impacted people for notification, and expanding call center hours for affected social services users. Ransom negotiations were reportedly handled by Deloitte.
## Attack Methodology
- **Initial Access:** Ransomware (Vector unspecified).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Likely involved accessing data containing Personally Identifiable Information (PII) and financial data.
- **Discovery:** Not detailed.
- **Lateral Movement:** Implied movement across the RIBridges and HealthSource RI infrastructure managed by Deloitte.
- **Collection:** Gathering PII, SSNs, banking details from benefit and health coverage systems.
- **Exfiltration:** Data copied and subsequently leaked/published on the dark web by the threat actor.
- **Impact:** Disruption of crucial state services (SNAP, Medicaid eligibility) and subsequent exposure of sensitive personal data.
## Impact Assessment
- **Financial:** Estimated costs are not reported, but the mention of ransom negotiations suggests potential direct/indirect costs.
- **Data Breach:** High severity. Likely PII, including names, addresses, dates of birth, **Social Security numbers (SSNs)**, and **banking information** for an estimated 650,000 users.
- **Operational:** Significant disruption to RIBridges system availability, forcing manual processes (in-person visits or extended call center operations) for SNAP, Medicaid, and health coverage enrollment decisions. HealthSource RI access restored but RIBridges remains partially unavailable.
- **Reputational:** Local backlash directed at the Governor regarding the handling of ransom negotiations (handled by Deloitte instead of law enforcement/FBI).
## Indicators of Compromise
- **Network indicators:** Not provided.
- **File indicators:** Associated with the Brain Cipher ransomware variant (a LockBit 3.0 variant).
- **Behavioral indicators:** Execution of ransomware leading to data encryption (implied) and subsequent data exfiltration (confirmed by dark web leak).
## Response Actions
- **Containment measures:** Not detailed, but implied by working to restore access to HealthSource RI.
- **Eradication steps:** Not detailed, but ongoing analysis of released files is occurring.
- **Recovery actions:** Expanding call center hours through the new year; generating and sending breach notification letters; urging affected individuals to freeze credit and enable MFA.
## Lessons Learned
- **Key takeaways:** Reliance on third-party vendors (Deloitte) for critical state infrastructure introduces risk, and the incident response structure included the vendor managing sensitive parts of the negotiation. A large population (650,000 users) of sensitive data was potentially exposed.
- **What could have been done better:** Public perception suggests the initial handling of the negotiation process (by Deloitte rather than state or federal law enforcement) was a point of contention.
## Recommendations
- **Prevention measures for similar incidents:** Strengthen third-party risk management for vendors managing critical state systems; ensure clear, state-led protocols are established for ransomware response, including law enforcement involvement from the outset; enhanced segmentation and monitoring around systems holding large volumes of PII/SSNs like benefit eligibility platforms.