Ransomware Attack on Clabots by Play Group: A Detailed Analysis

Clabots, a well-established Belgian company in the construction and hardware sector, has recently fallen victim to a ransomware attack orchestrated by the Play ransomware group. This attack has compromised sensitive data, including clients' tax information and identification documents, posing significant risks to both Clabots and its clients.

About Clabots

Founded in 1910, Clabots has grown from a small hardware store in Schaerbeek to a comprehensive supplier of tools, hardware, and safety equipment. The company operates a B2B portal and serves a wide range of clients, from large corporations to small contractors. Clabots employs approximately 82 people and reported an annual revenue of $19.3 million. Their extensive catalog includes cutting tools, clamping tools, pliers, wrenches, extractors, ratchets, and sockets, catering to both professional tradespeople and DIY enthusiasts.

What Makes Clabots Stand Out

Clabots is known for its century-long experience and commitment to quality and innovation. The company has positioned itself as a "hall equipment specialist," focusing on security solutions for buildings and residences. They offer a variety of security-related products and services, including intercom systems, locking mechanisms, mailboxes, access control systems, and technical doors. With over 38 years of experience in the security sector, Clabots has secured more than 20,000 premises, demonstrating their significant impact in the field.

Attack Overview

The Play ransomware group, active since June 2022, has claimed responsibility for the attack on Clabots via their dark web leak site. The attackers have compromised private and personal confidential data, including clients' tax information, identification documents, and other sensitive information. This breach poses significant risks to both Clabots and its clients, potentially leading to financial and reputational damage. Immediate measures are being taken to assess the extent of the breach and to mitigate further risks.

About the Play Ransomware Group

The Play ransomware group, also known as PlayCrypt, has been responsible for numerous high-profile attacks since its emergence. Initially focused on Latin America, the group has expanded its operations to North America, South America, and Europe. They target a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. The group uses various methods to gain entry into networks, including exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities.

Penetration Methods

Play ransomware employs sophisticated techniques to penetrate systems. They use scheduled tasks, PsExec, and Group Policy Objects (GPOs) to distribute ransomware executables within the internal network. The group also uses tools like Mimikatz to extract high-privilege credentials and escalate privileges. To evade detection, they employ tools to disable antimalware and monitoring solutions, such as Process Hacker, GMER, and IOBit.

• Clabots - Catalogue
• UCM Magazine - Clabots SA
• SOCRadar - Play Ransomware
• Cyberint - Play Ransomware
• Proven Data - Play Ransomware