German Department Store Group KaDeWe Hit by Ransomware Attack

German department store group KaDeWe was targeted in an attack by the ransomware collective Play. The company released a statement saying that credit card payment systems remained secure throughout the attack. However, it is still working to determine if customer information systems have been breached. KaDeWe Group operates three luxury department stores in Germany, including KaDeWe in Berlin, Alsterhaus in Hamburg, and Oberpollinger in Munich.

About Play Ransomware

Play (aka PlayCrypt) is a Ransomware-as-a-Service (RaaS) that emerged in the summer of 2022 and is noted for having similarities to Hive and Nokoyawa ransomware strains. Play often compromises unpatched Fortinet SSL VPN vulnerabilities to gain access. The group has been observed leveraging tools such as Process Hacker, GMER, IOBit, and PowerTool to bypass security solutions, as well as using PowerShell or command script to disable Windows Defender.

Notable Attacks and Techniques

Play made headlines with high-profile attacks on the City of Oakland, Argentina's Judiciary, and German hotel chain H-Hotels, as well as exfiltrating data from Fedpol and the Federal Office for Customs and Border Security (FOCBS). The ransomware gang is known to leverage tools like Cobalt Strike for post-compromise lateral movement and SystemBC RAT executables and legitimate tools such as Plink and AnyDesk to maintain persistence. Additionally, Play employs Mimikatz and living-off-the-land binaries (LOLBins) techniques, and abuses AdFind for command-line queries to collect information from a target’s Active Directory.

Play introduced the intermittent encryption technique for improved evasion capabilities and developed two custom data exfiltration tools - the Grixba information stealer and the open-source VSS management tool AlphaVSS. The gang has been observed leveraging exploits including ProxyNotShell, OWASSRF, and a Microsoft Exchange Server RCE.

Global Impact and Tactics

While Play ransomware gang has mainly focused attacks in Latin America, especially Brazil, they have also targeted entities outside of that region. In August, Play was observed running a worldwide campaign targeting managed service providers (MSPs) in an attempt to leverage their remote monitoring and management (RMM) tools to infiltrate customer networks. Play employs tactics similar to both the Hive and Nokoyawa ransomware gangs and engages in double extortion by first exfiltrating victim data with the threat to post it on their “leaks” website.