Thompson Construction Supply Suffers Major Ransomware Breach
Incident Date:
September 20, 2024
Overview
Title
Thompson Construction Supply Suffers Major Ransomware Breach
Victim
Thompson Construction Supply
Attacker
Play
Location
First Reported
September 20, 2024
Thompson Construction Supply Hit by Play Ransomware Attack
Thompson Construction Supply, a well-established supplier of construction materials based in Corona, California, has become the latest victim of a ransomware attack orchestrated by the Play ransomware group. The attack has led to the unauthorized access and potential exfiltration of a wide array of sensitive data, posing significant risks to the company's operational integrity and the privacy of its clients and employees.
About Thompson Construction Supply
Founded in 1978, Thompson Construction Supply specializes in providing a comprehensive range of construction materials and services. The company offers products essential for both commercial and residential construction projects, including metal and wood doors and frames, concrete supplies, tools, safety equipment, and landscaping materials. With a team boasting over 50 years of experience in civil and stormwater solutions, Thompson Construction Supply is a trusted advisor in the construction process, particularly in highly regulated sectors.
Operating out of 1169 Sherborn St, Corona, CA, the company employs approximately 16 people, reflecting its position as a small to medium-sized enterprise. Their strategic location allows them to serve a broad area effectively, and their commitment to customer service and product availability is a key differentiator in the industry.
Details of the Attack
The Play ransomware group has claimed responsibility for the attack on Thompson Construction Supply via their dark web leak site. The breach has resulted in the compromise of private and personal confidential data, client documents, budgetary details, payroll records, accounting files, contracts, tax documents, identification information, and financial data. The extent of the data breach underscores the severity of the attack.
About the Play Ransomware Group
Active since June 2022, the Play ransomware group, also known as PlayCrypt, has targeted a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. The group employs various methods to gain entry into networks, such as exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities. They use tools like Mimikatz for privilege escalation and custom tools to enumerate users and computers on compromised networks.
Play ransomware distinguishes itself by not including an initial ransom demand or payment instructions in its ransom notes. Instead, victims are directed to contact the threat actors via email. The group has impacted over 300 entities, including businesses and critical infrastructure across multiple regions.
Potential Vulnerabilities
Thompson Construction Supply's small to medium-sized enterprise status may have made it a target for threat actors like the Play ransomware group. The company's reliance on digital systems for managing client documents, payroll records, and financial data could have provided multiple entry points for the attackers. The use of outdated software or insufficient cybersecurity measures may have further exposed the company to this sophisticated ransomware attack.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.