MUJI Europe Holdings Limited Targeted by Play Ransomware Gang

The Play ransomware gang has attacked MUJI Europe Holdings Limited. MUJI, short for Mujirushi Ryohin, is a Japanese retail company that was founded in 1980. The name "MUJI" translates to "no brand quality goods" in English, reflecting the company's philosophy of simplicity, minimalism, and functionality. MUJI Europe Holdings Limited is the European branch of the organization.

Play posted MUJI Europe Holdings Limited to its data leak site on July 7th, claiming to have stolen private and personal confidential data, client and employee documents, passports, contracts, and financial data.

About Play Ransomware

Play ransomware (aka PlayCrypt) is a newer ransomware group that emerged in the summer of 2022 with high-profile attacks on the City of Oakland, Argentina's Judiciary, and German hotel chain H-Hotels. Play has similarities to Hive ransomware and is known to leverage tools like Cobalt Strike for post-compromise lateral movement and SystemBC RAT for persistence, as well as Mimikatz and living-off-the-land binaries (LOLBins) techniques.

Play is an evolving RaaS (Ransomware-as-a-Service) platform known to exploit a known Exchange vulnerability (CVE-2022-41080 - patched by Microsoft in November of 2022) that allows them to leverage a second vulnerability with a ProxyNotShell exploit (CVE-2022-41082) even if a patch had been applied, which then allows the attackers to execute code on the systems remotely. Play leverages PowerTool to disable antivirus tools and security monitoring solutions.

Play employs tactics similar to both Hive and Nokoyawa ransomware and also attempts double extortion by first exfiltrating victim data with the threat to post it on their leak website. There is little information on how much Play demands for a ransom, but they have made good on their threats to leak the data of those who refuse payment.