Play attacks Hill International

Incident Date:

June 23, 2023

World map



Play attacks Hill International


Hill International




Mount Laurel, USA

New Jersey, USA

First Reported

June 23, 2023

The Play Ransomware Gang's Attack on Hill International

The Play ransomware gang has attacked Hill International. Hill International is an American construction consulting company. It was founded in 1976 and is headquartered In Philadelphia. Play published Hill International to its data leak site on June 23rd, claiming to have stolen confidential data, client and employee documents, financial data, technical documents, passports, IDs, taxes, and more.

Background on Play Ransomware

Play ransomware (aka PlayCrypt) is a newer ransomware group that emerged in the summer of 2022 with high-profile attacks on the City of Oakland, Argentina's Judiciary, and German hotel chain H-Hotels. Play has similarities to Hive ransomware and is known to leverage tools like Cobalt Strike for post-compromise lateral movement and SystemBC RAT for persistence, as well as Mimikatz and living-off-the-land binaries (LOLBins) techniques.

Technical Details of the Attack

Play is an evolving RaaS platform known to exploit a known Exchange vulnerability (CVE-2022-41080 - patched by Microsoft in November of 2022) that allows them to leverage a second vulnerability with a ProxyNotShell exploit (CVE-2022-41082) even if a patch had been applied, which then allows the attackers to execute code on the systems remotely. Play leverages PowerTool to disable antivirus tools and security monitoring solutions.

Tactics and Extortion Methods

Play employs tactics similar to both Hive and Nokoyawa ransomware and also attempts double extortion by first exfiltrating victim data with the threat to post it on their leaks website.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.