Ransomware Attack on Gendron & Gendron by Play Ransomware Group

Incident Date:

July 25, 2024

World map

Overview

Title

Ransomware Attack on Gendron & Gendron by Play Ransomware Group

Victim

Gendron & Gendron

Attacker

Play

Location

Lewiston, USA

Maine, USA

First Reported

July 25, 2024

Ransomware Attack on Gendron & Gendron by Play Ransomware Group

Overview of Gendron & Gendron

Gendron & Gendron, Inc. is a well-established commercial construction company based in Lewiston, Maine. Founded in 1971 by Del Gendron, the company has been a family-run business for three generations. Currently led by John Gendron, the company specializes in a wide range of construction services, including site work, road construction, utility installation, and building erection. They are known for their "turnkey" construction approach, managing projects from inception to completion. Gendron & Gendron has a strong local presence, with approximately 90% of their work concentrated in the Lewiston-Auburn area.

Details of the Ransomware Attack

On July 26, 2024, Gendron & Gendron fell victim to a ransomware attack orchestrated by the Play ransomware group. The attack was announced on Play's dark web leak site. The extent of the data leak remains unknown at this time. The attack has raised concerns about the vulnerabilities in Gendron & Gendron's cybersecurity measures, particularly given their extensive involvement in local infrastructure projects.

About the Play Ransomware Group

The Play ransomware group, also known as PlayCrypt, has been active since June 2022. Initially targeting Latin America, the group has expanded its operations to North America, South America, and Europe. Play ransomware is known for targeting a diverse range of industries, including IT, transportation, construction, and critical infrastructure. The group employs various methods to gain entry into networks, such as exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities.

Penetration Methods

Play ransomware uses a combination of scheduled tasks, PsExec, and Group Policy Objects to execute its code and maintain persistence. The group also utilizes tools like Mimikatz for privilege escalation and employs defense evasion techniques to disable antimalware solutions. Their custom tools, such as Grixba, are used to enumerate users and computers on compromised networks.

Implications for Gendron & Gendron

The attack on Gendron & Gendron highlights the vulnerabilities that even well-established companies can face. Given their significant role in local infrastructure projects, the potential impact of this ransomware attack could be substantial. The company's commitment to quality and community engagement makes this attack particularly concerning, as it could disrupt ongoing projects and damage their reputation.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.