Play attacks CVR Associates

Date:

December 28, 2023

World map

Overview

Title

Play attacks CVR Associates

Victim

CVR Associates

Attacker

Play

Location

Tampa, USA

Tampa, Florida

Size of Attack

Unknown/TBD

First Reported

December 28, 2023

Last Updated

October 31, 2022

The Play ransomware group claimed an attack on CVR Associates. The exfiltrated data includes private and personal confidential information, clients' documents, budget details, IDs, payroll information, tax records, and financial data. CVR Associates provide innovative solutions for the affordable housing industry. They deliver solutions, insights, and ideas tailored to meet their customer-specific needs. Play (aka PlayCrypt) is a RaaS emerged in the summer of 2022 and is noted for having similarities to Hive and Nokoyawa ransomware strains. Play often compromises unpatched Fortinet SSL VPN vulnerabilities to gain access. Play has been observed leveraging Process Hacker, GMER, IOBit and PowerTool to bypass security solutions as well as PowerShell or command script to disable Windows Defender. Play made headlines with high-profile attacks on the City of Oakland, Argentina's Judiciary and German hotel chain H-Hotels, as well as exfiltrating data from Fedpol and the Federal Office for Customs and Border Security (FOCBS). Play is an evolving RaaS platform known to leverage PowerTool to disable antivirus and other security monitoring solutions and SystemBC RAT for persistence. Play is known to leverage tools like Cobalt Strike for post-compromise lateral movement and SystemBC RAT executables and legitimate tools Plink and AnyDesk to maintain persistence, as well as Mimikatz and living-off-the-land binaries (LOLBins) techniques. Play also abuses AdFind for command-line queries to collect information from a target’s Active Directory. Play first introduced the intermittent encryption technique for improved evasion capabilities. Play also developed two custom data exfiltration tools - the Grixba information stealer and the open-source VSS management tool AlphaVSS - that improve efficiency in exfiltrating sensitive information on the targeted network, as well as the open-source VSS management tool AlphaVSS. Play has been observed leveraging exploits including ProxyNotShell, OWASSRF and a Microsoft Exchange Server RCE. Play ransomware gang has mainly focused attacks in Latin America, especially Brazil, but have attack outside of that region. Play was observed to be running a worldwide campaign targeting managed service providers (MSPs) in August in an attempt to leverage their remote monitoring and management (RMM) tools to infiltrate customer networks. Play employs tactics similar to both the Hive and Nokoyawa ransomware gangs and engages in double extortion by first exfiltrating victim data with the threat to post it on their “leaks” website.

Oh no!

This attack's description was not found, while we work on the detailed account of this attack we invite you to browse through other recent Rasomware Attacks in the table below.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.

8Base attacks YRW Limited
Date
February 7, 2024
Ransomware group
8Base
Location

Tauranga, New Zealand

, New Zealand

Industry
Professional, Scientific & Technical Services
Victim
YRW Limited
8Base attacks YRW Limited
Date
February 7, 2024
Ransomware group
8Base
Location

Tauranga, New Zealand

, New Zealand

Industry
Professional, Scientific & Technical Services
Victim
YRW Limited
LockBit attacks Vimar Equipment
Date
February 7, 2024
Ransomware group
LockBit
Location

Burnaby, Canada

British Colombia, Canada

Industry
Manufacturing
Victim
Vimar Equipment
LockBit attacks Vimar Equipment
Date
February 7, 2024
Ransomware group
LockBit
Location

Burnaby, Canada

British Colombia, Canada

Industry
Manufacturing
Victim
Vimar Equipment
8Base attacks CERALP
Date
February 7, 2024
Ransomware group
8Base
Location

Villefranche sur Saône, France

Rhone, France

Industry
Professional, Scientific & Technical Services
Victim
CERALP
8Base attacks CERALP
Date
February 7, 2024
Ransomware group
8Base
Location

Villefranche sur Saône, France

Rhone, France

Industry
Professional, Scientific & Technical Services
Victim
CERALP
Cactus attacks SPB Globa
Date
February 6, 2024
Ransomware group
Cactus
Location

Huévar del Aljarafe, Spain

Seville, Spain

Industry
Manufacturing
Victim
SPB Global
Cactus attacks SPB Globa
Date
February 6, 2024
Ransomware group
Cactus
Location

Huévar del Aljarafe, Spain

Seville, Spain

Industry
Manufacturing
Victim
SPB Global
Play attacks Virgin Islands Lottery
Date
February 6, 2024
Ransomware group
Play
Location

St Thomas,

,

Industry
Other
Victim
Virgin Islands Lottery
Play attacks Virgin Islands Lottery
Date
February 6, 2024
Ransomware group
Play
Location

St Thomas,

,

Industry
Other
Victim
Virgin Islands Lottery
Black Basta attacks Asecos
Date
February 6, 2024
Ransomware group
BlackBasta
Location

Gründau, Germany

, Germany

Industry
Other
Victim
Asecos
Black Basta attacks Asecos
Date
February 6, 2024
Ransomware group
BlackBasta
Location

Gründau, Germany

, Germany

Industry
Other
Victim
Asecos
LockBit attacks Logtainer
Date
February 5, 2024
Ransomware group
LockBit
Location

Milan, Italy

, Italy

Industry
Transportation & Warehousing
Victim
Logtainer
LockBit attacks Logtainer
Date
February 5, 2024
Ransomware group
LockBit
Location

Milan, Italy

, Italy

Industry
Transportation & Warehousing
Victim
Logtainer
LockBit attacks Portline
Date
February 5, 2024
Ransomware group
LockBit
Location

Lisbon, Portugal

, Portugal

Industry
Transportation & Warehousing
Victim
Portline
LockBit attacks Portline
Date
February 5, 2024
Ransomware group
LockBit
Location

Lisbon, Portugal

, Portugal

Industry
Transportation & Warehousing
Victim
Portline
LockBit attacks TGestiona Logistica Company
Date
February 5, 2024
Ransomware group
LockBit
Location

Sertãozinho Maua, Brazil

, Brazil

Industry
Transportation & Warehousing
Victim
TGestiona Logística Company
LockBit attacks TGestiona Logistica Company
Date
February 5, 2024
Ransomware group
LockBit
Location

Sertãozinho Maua, Brazil

, Brazil

Industry
Transportation & Warehousing
Victim
TGestiona Logística Company
LockBit attacks Prima
Date
February 5, 2024
Ransomware group
LockBit
Location

Fresno,

California,

Industry
Agriculture
Victim
Prima
LockBit attacks Prima
Date
February 5, 2024
Ransomware group
LockBit
Location

Fresno,

California,

Industry
Agriculture
Victim
Prima