Ransomware Attack on Multidata by Play Group: A Detailed Analysis

Multidata, operating under the name MDS Property Management Software, has recently fallen victim to a ransomware attack orchestrated by the Play ransomware group. This breach has resulted in the unauthorized access and potential exfiltration of a wide array of sensitive data, significantly impacting the company's operational and financial integrity.

About Multidata

Multidata specializes in providing comprehensive property management solutions tailored specifically for the New York real estate market. With over 25 years of experience, the company has developed a software platform that integrates various functionalities essential for managing residential, commercial, cooperative, and homeowner association properties. Their core offerings include a fully integrated resident management system, accounts payable, and a general ledger system designed to meet the unique needs of property managers in New York. The platform supports automated check and invoice scanning, document management, and web-based approvals, significantly streamlining operations and reducing manual errors.

Multidata's commitment to customer satisfaction is evident in its high retention rate, attributed to personalized service and ongoing support. The company provides comprehensive training programs and dedicated support teams familiar with the specific challenges faced by New York property managers. Additionally, the platform includes real-time business intelligence and customizable reporting tools, enabling executives and property managers to make informed decisions based on accurate data analysis.

Attack Overview

The Play ransomware group, also known as PlayCrypt, has claimed responsibility for the attack on Multidata. The breach has resulted in the unauthorized access and potential exfiltration of sensitive data, including private and personal confidential data, client documents, budgetary details, payroll records, accounting files, contracts, tax documents, identification information, and financial data. The extent of the data breach underscores the severity of the attack, impacting both the operational and financial integrity of Multidata.

About the Play Ransomware Group

The Play ransomware group has been active since June 2022 and has been responsible for numerous high-profile attacks. Initially focused on Latin America, the group has expanded its operations to North America, South America, and Europe. The group targets a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. Play ransomware uses various methods to gain entry into a network, including exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities. The group employs tools to disable antimalware and monitoring solutions, such as Process Hacker, GMER, and IOBit.

Penetration and Impact

The Play ransomware group likely penetrated Multidata's systems through vulnerabilities in their network infrastructure. The group uses custom tools to enumerate all users and computers on a compromised network and copy files from the Volume Shadow Copy Service (VSS). The attack has significantly impacted Multidata, compromising sensitive data and potentially disrupting their operations. The breach highlights the importance of cybersecurity measures and the need for constant vigilance against evolving cyber threats.

Sources

• Multidata Services
• MDS Tenant Portal
• SOCRadar: Play Ransomware
• Cyberint: Play Ransomware
• Proven Data: Play Ransomware