Ransomware Attack on Congoleum: Data Breach by Play Group

Incident Date:

July 23, 2024

World map

Overview

Title

Ransomware Attack on Congoleum: Data Breach by Play Group

Victim

Congoleum Corporation

Attacker

Play

Location

Trenton, USA

New Jersey, USA

First Reported

July 23, 2024

Ransomware Attack on Congoleum Corporation by Play Ransomware Group

Overview of Congoleum Corporation

Congoleum Corporation, founded in 1886 and headquartered in Mercerville, New Jersey, is a prominent manufacturer of residential and commercial flooring products. The company is known for its innovative designs and extensive product offerings, including over 1,000 combinations of designs and colorations. Congoleum employs approximately 197 individuals and reported an annual revenue of around $106.3 million in 2023. Despite its historical challenges related to asbestos litigation, Congoleum has focused on developing eco-friendly and modern flooring solutions.

Details of the Ransomware Attack

Congoleum recently fell victim to a ransomware attack orchestrated by the Play ransomware group. The attackers compromised and exfiltrated a significant amount of sensitive data, including private and personal confidential information, client documents, budget details, payroll records, accounting files, contracts, tax documents, IDs, and financial information. A portion of this data has already been published online, with threats to release the full dataset if demands are not met. The attackers have made download links for the stolen data available, escalating the urgency for Congoleum to respond.

About the Play Ransomware Group

The Play ransomware group, also known as PlayCrypt, has been active since June 2022. Initially targeting Latin America, the group has expanded its operations to North America, South America, and Europe. Play ransomware is known for targeting a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. The group employs various methods to gain entry into networks, such as exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities. They use tools like Mimikatz for privilege escalation and custom tools for network enumeration and data exfiltration.

Potential Vulnerabilities and Penetration Methods

Congoleum's vulnerabilities that may have been exploited by the Play ransomware group include potential weaknesses in their network security, such as unpatched RDP servers or outdated software. The group is known to use valid accounts, including VPN accounts, which may have been reused or illicitly acquired. Additionally, the use of tools to disable antimalware and monitoring solutions could have facilitated the attack. The ransomware group’s ability to maintain persistence through scheduled tasks and PsExec further underscores the importance of robust cybersecurity measures.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.