Ransomware group Play over the weekend claimed a cyber attack on New York State’s Legislative Bill Drafting Commission. The group claimed to steal an undisclosed amount of data including “private and personal confidential data, clients documents, budget, payroll, accounting, contracts, taxes, IDs, finance information, and etc [sic].”
New York’s Bill Drafting Commission went down last week as a result of the attack, casting doubt on the passage of an already delayed state budget. The commission conducts research and prints legislative documents for lawmakers in Albany.
New York State officials have not confirmed Play’s claim. Comparitech contacted the NYS Senate Democratic Majority for comment, and will update this article if it responds.
Play didn’t publicly state how much it’s demanding in ransom. The Commission has not stated what data was affected, to whom it belongs, whether systems have been restored, how attackers breached its systems, or whether it plans to pay the ransom.
State officials said they were forced to resort to systems and processes not used since 1994 as a result of system downtime.
Who is Play?
First observed in June 2022, Play Ransomware has a history of targeting large organizations in healthcare, finance, manufacturing, real estate, education, and more. It’s known for double-extortion attempts that force victims to pay twice: once to decrypt systems, and again in exchange for not selling or publicly releasing stolen data.
Play prefers to break into systems by exploiting vulnerabilities, especially in remote desktop software (RDP). The ransomware uses intermittent encryption, which partially encrypts chunks of data instead of entire systems to avoid detection.
According to our data, Play claimed responsibility for six attacks so far in 2024. Recent victims include juice maker Welch’s, Douglas County Libraries in Colorado, and the Kansas City Area Transportation Authority.
It claimed 48 attacks in 2023, affecting more than 210 million records.
Ransomware attacks on US government orgs
In 2023, 74 US government organizations confirmed ransomware attacks, affecting 309,810 records, according to our data. The average ransom for confirmed attacks was $830,000 in 2023, and the average downtime was 14 days.
In 2024, 22 attacks have been confirmed so far, affecting 49,306 records. Nine more are unconfirmed at time of writing.
About the New York Legislative Bill Drafting Commission
New York State’s Legislative Bill Drafting Commission is made up of two commissioners who help lawmakers draft laws. The Commission gives advice on proposed legislation, conducts research, and publishes legislative documents.