Ransomware Attack on Visa Lighting: A Cybersecurity Breach in the Architectural Lighting Industry
Incident Date:
May 22, 2024
Overview
Title
Ransomware Attack on Visa Lighting: A Cybersecurity Breach in the Architectural Lighting Industry
Victim
Visa Lighting
Attacker
Play
Location
First Reported
May 22, 2024
Play Ransomware Attack on Visa Lighting
Overview of the Attack
Recently, Visa Lighting, a prominent US manufacturer of architectural lighting solutions, suffered a significant ransomware attack perpetrated by the Play ransomware group. The cybercriminals infiltrated Visa Lighting's systems and encrypted a vast array of sensitive data, including client documents, budget details, payroll information, accounting records, contracts, tax documents, and personal identification information. This breach has severely disrupted the company's operations and compromised its data security.
About Visa Lighting
Founded nearly a century ago and headquartered in Milwaukee, Wisconsin, Visa Lighting is a renowned manufacturer known for its high-quality, innovative architectural lighting products. The company focuses on creating energy-efficient and sustainable lighting solutions for various indoor and outdoor applications. Their product range includes LED fixtures, decorative pendants, wall sconces, and recessed lighting. Visa Lighting’s commitment to sustainability and its "Made in America" ethos significantly contribute to its distinguished reputation in the industry.
Company Profile
Visa Lighting stands as a significant player in the architectural lighting industry, boasting a substantial market presence and a strong reputation. While specific revenue figures and employee counts remain undisclosed, the company's extensive history and influence suggest a robust operational scale. Visa Lighting's emphasis on innovative design and environmentally friendly manufacturing practices further distinguishes it in its field.
Details of the Ransomware Attack
The Play ransomware group, which surfaced in 2022, is infamous for its sophisticated and evolving tactics, particularly targeting Linux systems with a double-extortion model. This model involves exfiltrating data before encrypting it, thereby pressuring victims to pay the ransom by threatening to release sensitive information publicly if their demands are unmet. In the case of Visa Lighting, the attackers exploited known vulnerabilities in public-facing applications and leveraged weaknesses in the company’s cybersecurity infrastructure.
Play Ransomware Group Profile
The Play ransomware group has quickly established itself within the cybercriminal landscape. Initially associated with the Babuk ransomware code, Play has expanded its operations to include sophisticated attacks across various sectors globally. The group is noted for its ability to exploit vulnerabilities in Microsoft Exchange servers, such as the ProxyNotShell vulnerabilities. This method involves exploiting flaws in the Outlook Web Application frontend, bypassing traditional security mitigations.
Play ransomware actors employ a range of tools to gain initial access, move laterally within networks, and exfiltrate data. Their toolkit includes legitimate applications repurposed for malicious activities, such as AdFind for querying Active Directory and GMER for disabling security software. The group’s continuous refinement of their tactics, techniques, and procedures (TTPs) underscores the significant threat they pose to organizations.
Implications and Recommendations
This ransomware attack on Visa Lighting highlights the critical need for robust cybersecurity measures across all sectors, particularly those dealing with sensitive data. Implementing multifactor authentication, maintaining regular offline backups, and keeping software and systems up to date are essential practices to mitigate such risks. Additionally, organizations must invest in advanced threat detection and response solutions to swiftly identify and neutralize potential threats.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.