Ransomware Attack Hits Messe C by Notorious Play Ransomware Group

Incident Date:

September 20, 2024

World map

Overview

Title

Ransomware Attack Hits Messe C by Notorious Play Ransomware Group

Victim

Messe C

Attacker

Play

Location

Fredericia, Denmark

, Denmark

First Reported

September 20, 2024

Ransomware Attack on Messe C by Play Ransomware Group

Messe C, a premier venue for conferences, exhibitions, and various events located in Fredericia, Denmark, has recently fallen victim to a ransomware attack orchestrated by the notorious Play ransomware group. The attack was publicly claimed by Play on their dark web leak site, indicating a targeted and deliberate assault on Messe C's systems.

About Messe C

Messe C is a historic and strategically located exhibition center in Denmark, boasting over a century of experience in event management. The venue spans 33,000 square meters and includes four halls capable of accommodating up to 10,000 diners, along with multiple meeting rooms for smaller gatherings. Messe C is known for its exceptional service and ability to create unique experiences tailored to the specific needs of its clients. The center is easily accessible, with 80% of the Danish population able to reach it within two hours by public transport or car.

Attack Overview

The specifics of the attack, including the methods of infiltration and the extent of the data compromised, have not been disclosed. However, the acknowledgment by Play suggests a sophisticated operation aimed at extracting ransom through the encryption of critical data. Messe C's reliance on digital infrastructure for event management and client services may have made it a vulnerable target for such an attack.

About Play Ransomware Group

The Play ransomware group, also known as PlayCrypt, has been active since June 2022 and has been responsible for numerous high-profile attacks. Initially focusing on Latin America, the group has expanded its operations to North America, South America, and Europe. Play targets a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure.

Distinguishing Features of Play Ransomware

Play ransomware distinguishes itself by using various methods to gain entry into networks, such as exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities. The group employs tools like Mimikatz for privilege escalation and uses custom tools to enumerate users and computers on compromised networks. Unlike typical ransomware groups, Play does not include an initial ransom demand or payment instructions in its ransom notes, directing victims to contact them via email instead.

Potential Penetration Methods

Play ransomware could have penetrated Messe C's systems through several vectors, including exploiting known vulnerabilities in RDP servers or Microsoft Exchange, using valid accounts obtained through phishing or other means, or leveraging custom tools to bypass security measures. The group's sophisticated tactics and techniques make it a formidable threat to organizations with significant digital infrastructure.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.