Trisun Land Services Hit by Play Ransomware, Client Data Compromised

Incident Date:

June 12, 2024

World map

Overview

Title

Trisun Land Services Hit by Play Ransomware, Client Data Compromised

Victim

Trisun Land Services

Attacker

Play

Location

Waterville, USA

Ohio, USA

First Reported

June 12, 2024

Ransomware Attack on Trisun Land Services by Play Group

Overview of Trisun Land Services

Trisun Land Services LLC, a locally owned real estate title and closing services company, operates out of Waterville, Ohio, with an additional location in Perrysburg, Ohio. The company, with over 30 years of combined experience, specializes in providing complete closing, settlement, and escrow services. Known for its personalized and budget-friendly services, Trisun Land Services accommodates clients at their preferred locations, including homes and workplaces. The company employs a small team of 2-10 qualified staff members and is licensed with the Ohio Department of Insurance.

Details of the Ransomware Attack

The ransomware group Play has claimed responsibility for a cyberattack on Trisun Land Services. The attack compromised a significant amount of private and confidential data, including client documents, budget information, payroll, accounting records, contracts, tax documents, IDs, and financial information. The breach was announced on Play's dark web leak site, indicating a severe impact on the company's operations and client trust.

About the Play Ransomware Group

Play ransomware, operated by the group Ransom House, is a notable actor in the cybercrime landscape, particularly targeting Linux systems. Initially linked to the Babuk code, Play ransomware has evolved to deploy cryptographic lockers, focusing on ESXi lockers. The group is known for its sophisticated tactics, including the use of Sosemanuk for encryption and a unique verbose ransom note to communicate with victims. Play ransomware actors often utilize various hack tools and utilities, such as AnyDesk and NetCat, to achieve initial access and execute their attacks.

Potential Vulnerabilities and Penetration Methods

Trisun Land Services, with its small team and extensive handling of sensitive client data, presents a lucrative target for ransomware groups like Play. The company's reliance on digital records and communication channels may have exposed vulnerabilities that the attackers exploited. The Play group likely penetrated Trisun's systems through common vectors such as phishing emails, exploiting unpatched software vulnerabilities, or leveraging weak network security protocols. The exact method of penetration remains unclear, but the attack underscores the critical need for robust cybersecurity measures in protecting sensitive real estate transaction data.

Sources:

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.