Play Ransomware Group Targets Mönsterås Metall AB in Major Cyber Attack
Incident Date:
June 13, 2024
Overview
Title
Play Ransomware Group Targets Mönsterås Metall AB in Major Cyber Attack
Victim
Mönsterås Metall AB
Attacker
Play
Location
First Reported
June 13, 2024
Ransomware Attack on Mönsterås Metall AB by Play Group
Overview of Mönsterås Metall AB
Mönsterås Metall AB, founded in 1955 and based in Mönsterås, Sweden, is a prominent player in the manufacturing sector, specializing in aluminum casting and machining. The company employs advanced techniques such as sand casting, die casting, high-pressure die casting, and plaster casting. With ISO 9001 and ISO 14001 certifications, Mönsterås Metall is committed to quality and environmental management. The company serves a diverse clientele, from small businesses to large international brands, and emphasizes continuous improvement and lean principles.
Details of the Ransomware Attack
On June 13, 2024, Mönsterås Metall AB fell victim to a ransomware attack orchestrated by the Play ransomware group. The attack was disclosed on Play's dark web leak site, although the exact size of the data breach remains unknown. The attack has raised significant concerns about the vulnerabilities in the company's cybersecurity infrastructure.
About the Play Ransomware Group
The Play ransomware group, operated by Ransom House, is known for its sophisticated attacks targeting Linux systems. Initially linked to the Babuk code, Play ransomware has evolved to deploy cryptographic lockers. The group is notorious for its unique verbose ransom notes and the use of various hack tools and utilities to penetrate systems. Play ransomware's focus on Linux environments and its advanced encryption methods make it a formidable threat in the cybercrime landscape.
Potential Vulnerabilities and Penetration Methods
Mönsterås Metall AB's reliance on advanced machinery and software for metalworking processes may have exposed vulnerabilities that the Play group exploited. The ransomware actors likely gained initial access through phishing attacks or exploiting unpatched software vulnerabilities. Once inside, they could have used tools like AnyDesk, NetCat, and encoded PowerShell Empire scripts to escalate privileges and deploy the ransomware.
Sources:
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.