Ransomware Attack Hits Canadian Accounting Firm RSP LLP
Incident Date:
September 18, 2024
Overview
Title
Ransomware Attack Hits Canadian Accounting Firm RSP LLP
Victim
RSP LLP
Attacker
Play
Location
First Reported
September 18, 2024
RSP LLP Targeted in Ransomware Attack by Play Group
RSP LLP, a prominent Canadian firm of Chartered Professional Accountants and Business Advisors, has recently fallen victim to a ransomware attack orchestrated by the Play ransomware group. The attack has compromised a significant amount of sensitive data, including client documents, payroll records, and financial information.
About RSP LLP
RSP LLP, based in Vaughan, Ontario, Canada, was founded in 1969 and has established itself as a significant player in the accounting sector. The firm employs approximately 51 individuals and reported an annual revenue of around $11 million. RSP LLP offers a wide range of services, including individual and business tax services, auditing, bookkeeping, and strategic business consulting. The firm is known for its personalized service and innovative approach to accounting and business advisory services, helping clients navigate complex financial landscapes.
Attack Overview
The Play ransomware group has claimed responsibility for the attack on RSP LLP via their dark web leak site. The attackers have compromised a wide array of sensitive data, including private and personal confidential information, client documents, budgetary details, payroll records, accounting files, contracts, tax information, identification documents, and financial data. This breach has significant implications for RSP LLP and its clients, potentially exposing them to further risks and financial losses.
About the Play Ransomware Group
The Play ransomware group, also known as PlayCrypt, has been active since June 2022. Initially focusing on Latin America, the group has expanded its operations to North America, South America, and Europe. The group targets a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. Play ransomware is known for its sophisticated attack methods, including exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities.
Penetration Methods
Play ransomware employs various methods to gain entry into a network. These include exploiting RDP servers and FortiOS vulnerabilities, using valid accounts, and leveraging Microsoft Exchange vulnerabilities. Once inside, the ransomware executes its code using scheduled tasks and PsExec, and maintains persistence through similar methods. The group also uses tools like Mimikatz for privilege escalation and employs custom tools to enumerate users and computers on a compromised network.
Implications for RSP LLP
RSP LLP's focus on personalized service and its extensive experience in the industry make it a reputable entity within the accounting sector. However, the firm's reliance on sensitive client data and financial information makes it a prime target for ransomware attacks. The breach by the Play ransomware group underscores the importance of advanced cybersecurity measures to protect against such sophisticated threats.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.