Ransomware Attack on GridSME Highlights Energy Sector Vulnerabilities
Incident Date:
August 21, 2024
Overview
Title
Ransomware Attack on GridSME Highlights Energy Sector Vulnerabilities
Victim
Grid Subject Matter Experts
Attacker
Play
Location
First Reported
August 21, 2024
Ransomware Attack on Grid Subject Matter Experts by Play Ransomware Group
Grid Subject Matter Experts (GridSME), a prominent company in the Energy, Utilities & Waste sector, has recently fallen victim to a ransomware attack orchestrated by the Play ransomware group. The attack was first identified on August 21, and sensitive files were subsequently published on the dark web on August 26, 2024. This incident has raised significant concerns about the security of critical infrastructure in the energy sector.
About Grid Subject Matter Experts
GridSME, headquartered in Folsom, California, specializes in providing comprehensive solutions for the energy sector. The company focuses on integrating facilities into modern power grids, offering services in engineering, cybersecurity, compliance, and operations. With a team of registered professional engineers and seasoned experts, GridSME assists clients in navigating the complexities of the evolving energy landscape. The company employs approximately 59 individuals and reported an annual revenue of around $6.8 million.
What Makes GridSME Stand Out
GridSME is renowned for its tailored engineering solutions, which address the unique challenges faced by clients in the energy sector. Their cybersecurity team provides advanced solutions to enhance the reliability of projects and mitigate risks. Additionally, the company offers compliance support to help clients meet regulatory standards set by bodies such as the North American Electric Reliability Corporation (NERC) and the Electric Reliability Council of Texas (ERCOT). This combination of expertise and comprehensive services positions GridSME as a trusted partner in the energy sector.
Vulnerabilities and Attack Overview
The Play ransomware group, also known as PlayCrypt, has been active since June 2022 and has targeted various industries, including critical infrastructure. The group is known for exploiting vulnerabilities in RDP servers, FortiOS, and Microsoft Exchange, among others. In the case of GridSME, the exact method of penetration remains unclear, but it is likely that the group exploited known vulnerabilities or used valid accounts to gain initial access.
Once inside the network, Play ransomware typically uses scheduled tasks and PsExec for execution and persistence. The group also employs tools like Mimikatz for privilege escalation and disables antimalware solutions to evade detection. The attack on GridSME has garnered significant attention, with the dark web post detailing the breach receiving 550 views, indicating a high level of interest and potential risk of data exploitation.
About Play Ransomware Group
The Play ransomware group distinguishes itself by not including an initial ransom demand or payment instructions in its ransom notes. Instead, victims are directed to contact the threat actors via email. The group has impacted over 300 entities across multiple regions, including North America, South America, and Europe. Their dark web presence and data leak site serve as platforms for publishing information about their attacks and victims.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.