Clabots Hit by Play Ransomware: Risks and Impact Analyzed

Incident Date:

August 29, 2024

World map

Overview

Title

Clabots Hit by Play Ransomware: Risks and Impact Analyzed

Victim

Clabots

Attacker

Play

Location

Zemst, Belgium

, Belgium

First Reported

August 29, 2024

Ransomware Attack on Clabots by Play Group: A Detailed Analysis

Clabots, a well-established Belgian company in the construction and hardware sector, has recently fallen victim to a ransomware attack orchestrated by the Play ransomware group. This attack has compromised sensitive data, including clients' tax information and identification documents, posing significant risks to both Clabots and its clients.

About Clabots

Founded in 1910, Clabots has grown from a small hardware store in Schaerbeek to a comprehensive supplier of tools, hardware, and safety equipment. The company operates a B2B portal and serves a wide range of clients, from large corporations to small contractors. Clabots employs approximately 82 people and reported an annual revenue of $19.3 million. Their extensive catalog includes cutting tools, clamping tools, pliers, wrenches, extractors, ratchets, and sockets, catering to both professional tradespeople and DIY enthusiasts.

What Makes Clabots Stand Out

Clabots is known for its century-long experience and commitment to quality and innovation. The company has positioned itself as a "hall equipment specialist," focusing on security solutions for buildings and residences. They offer a variety of security-related products and services, including intercom systems, locking mechanisms, mailboxes, access control systems, and technical doors. With over 38 years of experience in the security sector, Clabots has secured more than 20,000 premises, demonstrating their significant impact in the field.

Attack Overview

The Play ransomware group, active since June 2022, has claimed responsibility for the attack on Clabots via their dark web leak site. The attackers have compromised private and personal confidential data, including clients' tax information, identification documents, and other sensitive information. This breach poses significant risks to both Clabots and its clients, potentially leading to financial and reputational damage. Immediate measures are being taken to assess the extent of the breach and to mitigate further risks.

About the Play Ransomware Group

The Play ransomware group, also known as PlayCrypt, has been responsible for numerous high-profile attacks since its emergence. Initially focused on Latin America, the group has expanded its operations to North America, South America, and Europe. They target a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. The group uses various methods to gain entry into networks, including exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities.

Penetration Methods

Play ransomware employs sophisticated techniques to penetrate systems. They use scheduled tasks, PsExec, and Group Policy Objects (GPOs) to distribute ransomware executables within the internal network. The group also uses tools like Mimikatz to extract high-privilege credentials and escalate privileges. To evade detection, they employ tools to disable antimalware and monitoring solutions, such as Process Hacker, GMER, and IOBit.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.