RCG Ventures LLC Hit by Major Play Ransomware Cyber Attack

Incident Date:

August 21, 2024

World map

Overview

Title

RCG Ventures LLC Hit by Major Play Ransomware Cyber Attack

Victim

RCG Ventures LLC

Attacker

Play

Location

Atlanta, USA

Georgia, USA

First Reported

August 21, 2024

Play Ransomware Group Targets RCG Ventures LLC in Major Cyber Attack

RCG Ventures LLC, a prominent real estate investment group based in Atlanta, Georgia, has recently fallen victim to a ransomware attack orchestrated by the Play ransomware group. The attack, identified on August 21, 2024, has led to the exposure of sensitive files on the dark web, raising significant concerns about the company's cybersecurity measures.

About RCG Ventures LLC

Founded in 2003, RCG Ventures LLC specializes in the acquisition and development of commercial real estate across the United States. The company focuses primarily on multi-tenant, anchored shopping centers and operates with a long-term ownership perspective. With an annual revenue of approximately $58 million and over $1 billion invested in 146 properties across 22 states, RCG Ventures has established itself as a significant player in the real estate market.

Attack Overview

The ransomware attack was first identified on August 21, 2024, and by August 26, 2024, sensitive files were published on the dark web. The compromised data has garnered significant attention, with the dark web post receiving 354 views. The publication status of the files remains active, indicating ongoing exposure of the compromised information. This incident has highlighted potential vulnerabilities in RCG Ventures' cybersecurity infrastructure.

About the Play Ransomware Group

The Play ransomware group, also known as PlayCrypt, has been active since June 2022. Initially focusing on Latin America, the group has expanded its operations to North America, South America, and Europe. The group targets a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. Play ransomware is known for exploiting vulnerabilities in RDP servers, FortiOS, and Microsoft Exchange, among others.

Penetration Methods

Play ransomware employs various methods to gain entry into networks, including exploiting RDP servers and FortiOS vulnerabilities, using valid accounts, and leveraging Microsoft Exchange vulnerabilities. The group executes its code using scheduled tasks and PsExec, and maintains persistence through similar methods. Tools like Mimikatz are used for privilege escalation, while defense evasion is achieved using tools such as Process Hacker and GMER.

Implications for RCG Ventures

The attack on RCG Ventures underscores the importance of advanced cybersecurity measures, especially for companies handling significant financial transactions and sensitive data. The exposure of sensitive files on the dark web not only threatens the company's operational integrity but also its reputation in the real estate market. This incident serves as a stark reminder of the evolving threat landscape and the need for continuous vigilance and advanced security protocols.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.