Thompson Construction Supply Hit by Play Ransomware Attack

Thompson Construction Supply, a well-established supplier of construction materials based in Corona, California, has become the latest victim of a ransomware attack orchestrated by the Play ransomware group. The attack has led to the unauthorized access and potential exfiltration of a wide array of sensitive data, posing significant risks to the company's operational integrity and the privacy of its clients and employees.

About Thompson Construction Supply

Founded in 1978, Thompson Construction Supply specializes in providing a comprehensive range of construction materials and services. The company offers products essential for both commercial and residential construction projects, including metal and wood doors and frames, concrete supplies, tools, safety equipment, and landscaping materials. With a team boasting over 50 years of experience in civil and stormwater solutions, Thompson Construction Supply is a trusted advisor in the construction process, particularly in highly regulated sectors.

Operating out of 1169 Sherborn St, Corona, CA, the company employs approximately 16 people, reflecting its position as a small to medium-sized enterprise. Their strategic location allows them to serve a broad area effectively, and their commitment to customer service and product availability is a key differentiator in the industry.

Details of the Attack

The Play ransomware group has claimed responsibility for the attack on Thompson Construction Supply via their dark web leak site. The breach has resulted in the compromise of private and personal confidential data, client documents, budgetary details, payroll records, accounting files, contracts, tax documents, identification information, and financial data. The extent of the data breach underscores the severity of the attack.

About the Play Ransomware Group

Active since June 2022, the Play ransomware group, also known as PlayCrypt, has targeted a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. The group employs various methods to gain entry into networks, such as exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities. They use tools like Mimikatz for privilege escalation and custom tools to enumerate users and computers on compromised networks.

Play ransomware distinguishes itself by not including an initial ransom demand or payment instructions in its ransom notes. Instead, victims are directed to contact the threat actors via email. The group has impacted over 300 entities, including businesses and critical infrastructure across multiple regions.

Potential Vulnerabilities

Thompson Construction Supply's small to medium-sized enterprise status may have made it a target for threat actors like the Play ransomware group. The company's reliance on digital systems for managing client documents, payroll records, and financial data could have provided multiple entry points for the attackers. The use of outdated software or insufficient cybersecurity measures may have further exposed the company to this sophisticated ransomware attack.

Sources

• Thompson Construction Supply
• SOCRadar - Play Ransomware
• Cyberint - Play Ransomware
• Proven Data - Play Ransomware