Seven new victims have been claimed under the PLAY Ransomware attack — orchestrated by the threat actor with the same name.

The notorious PLAY ransomware group operating in the underground forums has identified and targeted these organizations located in different corners of the world. 

Surprisingly, there seems to be no apparent connection between these victims, highlighting the indiscriminate nature of their attacks.

PLAY Ransomware Attack: 7 New Victims Added

This ransomware campaign is part of a wider scheme orchestrated by the threat actor, targeting major organizations worldwide.

The PLAY ransomware attack victims include:

• Hughes Gill Cochrane Tinetti
• Saltire Energy
• Centek industries
• NachtExpress Austria 
• WCM Europe
• Starr Finley
• unknown victim 

Hughes Gill Cochrane Tinetti, headquartered in California, United States, fell prey to this PLAY ransomware attack. Their website, www.hughes-gill.com, was compromised on October 10, 2023, with the ransom demand stretching four days from the publication date.

Saltire Energy, a stalwart in the United Kingdom, faced a similar attack. The threat actor claimed the PLAY ransomware attack on October 10, 2023, with a ransom date of October 14, 2023, before their data gets published.

Similarly, additional organizations mentioned by the PLAY ransomware group have been targeted by the PLAY ransomware, with a looming deadline of 1 to 4 days before all the stolen data is exposed on the dark web.

The Rise of Play Ransomware Group

The rise in PLAY ransomware attacks and recent data breaches claims has raised concerns among both private and public organizations worldwide.

Threat actors like PLAY ransomware exploit vulnerabilities and unpatched security systems to gain unauthorized access and encrypt valuable data.

To learn more about these PLAY ransomware attacks, and get clarification on the claims made by the threat actor, The Cyber Express reached out to the multiple organizations listed by the threat actor.

However, at the time of writing this, no response or confirmation has been received. This leaves the claims surrounding the PLAY ransomware attack unverified.

Play ransomware group has been on the run from a long time. Cybersecurity experts at Symantec recently identified the Play ransomware, also known as PlayCrypt, targeting a wide range of private and public organizations across various industries worldwide. 

The hacker collective, initially developed by the Balloonfly group, has gained infamy for carrying out prominent attacks since its debut in June 2022. Moreover, they employs a dual extortion approach, beginning with the extraction of victim network data before proceeding to encryption.

Alongside other notorious variants like LockBit, Mallox, and Clop, Play ransomware has emerged as the most cunning threat actors on the dark web. They also employs a range of infection vectors, exploiting known vulnerabilities such as ProxyNotShell, and even purchasing access to infrastructure through stolen credentials from previously successful threat actors.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.