Ransomware Attack on Congoleum: Data Breach by Play Group
Incident Date:
July 23, 2024
Overview
Title
Ransomware Attack on Congoleum: Data Breach by Play Group
Victim
Congoleum Corporation
Attacker
Play
Location
First Reported
July 23, 2024
Ransomware Attack on Congoleum Corporation by Play Ransomware Group
Overview of Congoleum Corporation
Congoleum Corporation, founded in 1886 and headquartered in Mercerville, New Jersey, is a prominent manufacturer of residential and commercial flooring products. The company is known for its innovative designs and extensive product offerings, including over 1,000 combinations of designs and colorations. Congoleum employs approximately 197 individuals and reported an annual revenue of around $106.3 million in 2023. Despite its historical challenges related to asbestos litigation, Congoleum has focused on developing eco-friendly and modern flooring solutions.
Details of the Ransomware Attack
Congoleum recently fell victim to a ransomware attack orchestrated by the Play ransomware group. The attackers compromised and exfiltrated a significant amount of sensitive data, including private and personal confidential information, client documents, budget details, payroll records, accounting files, contracts, tax documents, IDs, and financial information. A portion of this data has already been published online, with threats to release the full dataset if demands are not met. The attackers have made download links for the stolen data available, escalating the urgency for Congoleum to respond.
About the Play Ransomware Group
The Play ransomware group, also known as PlayCrypt, has been active since June 2022. Initially targeting Latin America, the group has expanded its operations to North America, South America, and Europe. Play ransomware is known for targeting a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. The group employs various methods to gain entry into networks, such as exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities. They use tools like Mimikatz for privilege escalation and custom tools for network enumeration and data exfiltration.
Potential Vulnerabilities and Penetration Methods
Congoleum's vulnerabilities that may have been exploited by the Play ransomware group include potential weaknesses in their network security, such as unpatched RDP servers or outdated software. The group is known to use valid accounts, including VPN accounts, which may have been reused or illicitly acquired. Additionally, the use of tools to disable antimalware and monitoring solutions could have facilitated the attack. The ransomware group’s ability to maintain persistence through scheduled tasks and PsExec further underscores the importance of robust cybersecurity measures.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.