Play attacks Cambridge Group of Clubs
Incident Date:
June 28, 2023
Overview
Title
Play attacks Cambridge Group of Clubs
Victim
Cambridge Group of Clubs
Attacker
Play
Location
First Reported
June 28, 2023
The Play Ransomware Gang's Latest Target: The Cambridge Group of Clubs
The Play ransomware gang has attacked the Cambridge Group of Clubs. The Cambridge Group of Clubs is a trio of health clubs located in Toronto's financial district. Play posted the Cambridge Group of Clubs to its data leak site on June 28th, threatening to publish all stolen data by July 3rd if the organization fails to pay an unspecified ransom.
Background on Play Ransomware
Play ransomware (aka PlayCrypt) is a newer ransomware group that emerged in the summer of 2022 with high-profile attacks on the City of Oakland, Argentina's Judiciary, and German hotel chain H-Hotels. Play has similarities to Hive ransomware and is known to leverage tools like Cobalt Strike for post-compromise lateral movement and SystemBC RAT for persistence, as well as Mimikatz and living-off-the-land binaries (LOLBins) techniques. Play continued to increase attacks through the end of 2022 and into 2023.
Ransom Demands and Consequences
There is little information on how much Play demands for a ransom, but they have made good on their threats to leak the data of those who refuse payment.
Technical Insights
Play is an evolving RaaS platform known to exploit a known Exchange vulnerability (CVE-2022-41080 - patched by Microsoft in November of 2022) that allows them to leverage a second vulnerability with a ProxyNotShell exploit (CVE-2022-41082) even if a patch had been applied, which then allows the attackers to execute code on the systems remotely. Play leverages PowerTool to disable antivirus tools and security monitoring solutions.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.