Ransomware Attack on Noble Environmental by Play Ransomware Group

Noble Environmental, an innovative environmental services company based in Pittsburgh, Pennsylvania, has recently fallen victim to a ransomware attack orchestrated by the Play ransomware group. This breach has compromised a wide array of sensitive data, posing significant risks to both the organization and its clients.

About Noble Environmental

Founded in 2016, Noble Environmental specializes in sustainable waste management and renewable energy solutions. The company has rapidly grown to become a significant player in the greater Pittsburgh area, focusing on transforming waste into renewable natural gas (RNG). This RNG is utilized to power vehicles, showcasing Noble's commitment to environmental stewardship and community investment. The company employs between 100 to 249 individuals and generates an estimated annual revenue of $10 million to $25 million.

What Makes Noble Environmental Stand Out

Noble Environmental is known for its innovative technologies and practices in waste management. A key aspect of their operations is the partnership with local landfills, particularly the Westmoreland Sanitary Landfill, where they capture landfill gas and convert it into RNG. This process not only reduces greenhouse gas emissions but also provides a sustainable energy source. The company actively engages in initiatives that promote sustainability within the communities it serves, such as awarding $100,000 in "Green Gifts" to local organizations focused on environmental sustainability.

Attack Overview

The Play ransomware group has claimed responsibility for the attack on Noble Environmental via their dark web leak site. The breach has compromised sensitive data, including private and personal confidential information, client documents, budgetary details, payroll records, accounting files, contracts, tax information, identification documents, and financial data. The extent of the data exfiltration underscores the severity of the attack.

About Play Ransomware Group

The Play ransomware group, also known as PlayCrypt, has been active since June 2022 and has been responsible for numerous high-profile attacks. Initially focused on Latin America, the group has expanded its operations to North America, South America, and Europe. They target a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. The group uses various methods to gain entry into networks, including exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities.

Penetration Methods

Play ransomware employs sophisticated techniques to penetrate systems. They use scheduled tasks and PsExec for execution and persistence, and tools like Mimikatz for privilege escalation. The group also employs custom tools to enumerate users and computers on compromised networks and copy files from the Volume Shadow Copy Service. Their ability to disable antimalware and monitoring solutions further distinguishes them in the ransomware landscape.

Sources

• Noble Environmental
• SOCRadar - Play Ransomware
• Cyberint - Play Ransomware
• Proven Data - Play Ransomware
• Red Piranha - Play Ransomware