Universal Pure Targeted by Play Ransomware Group

Universal Pure, a leading provider of High Pressure Processing (HPP) services in the food and beverage industry, has been targeted by the Play ransomware group. The attack has compromised the company's security and operations, posing significant challenges in restoring systems and safeguarding sensitive information.

About Universal Pure

Founded in 2001 and headquartered in Lincoln, Nebraska, Universal Pure has grown from a cold storage facility into a comprehensive service provider. The company operates eight locations across the United States and employs approximately 175 people. With an annual revenue of $32.7 million, Universal Pure is the largest third-party HPP service provider in the U.S., utilizing 22 HPP machines. The company offers a range of integrated cold chain solutions, including cold storage, beverage co-packing, kitting and assembly, and inventory management. Their commitment to food safety and quality has made them a critical partner for manufacturers seeking to meet consumer demands for cleaner labels and longer-lasting products.

Attack Overview

The Play ransomware group has claimed responsibility for the attack on Universal Pure via their dark web leak site. While specific details of the breach remain sparse, the involvement of Play suggests a sophisticated and potentially damaging incident. The company is likely facing significant challenges in restoring its systems and safeguarding sensitive information.

About Play Ransomware Group

Active since June 2022, the Play ransomware group, also known as PlayCrypt, has been responsible for numerous high-profile attacks. Initially focusing on Latin America, the group has expanded its operations to North America, South America, and Europe. Play targets a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. The group is known for exploiting vulnerabilities in RDP servers, FortiOS, and Microsoft Exchange, as well as using valid accounts and custom tools to gain entry into networks.

Penetration Methods

Play ransomware employs various methods to penetrate company systems. They exploit vulnerabilities such as CVE-2018-13379 and CVE-2020-12812 in FortiOS, and CVE-2022-41080 and CVE-2022-41082 in Microsoft Exchange. The group also uses valid VPN accounts that may have been reused or illicitly acquired. Once inside, they execute their code using scheduled tasks, PsExec, and Group Policy Objects (GPOs). To maintain persistence, they use tools like Mimikatz for privilege escalation and employ defense evasion techniques to disable antimalware and monitoring solutions.

Impact and Challenges

The attack on Universal Pure underscores the vulnerabilities that even well-established companies face in the digital age. The company's extensive operations and reliance on integrated cold chain solutions make it a lucrative target for ransomware groups like Play. The breach not only disrupts their services but also poses a significant risk to the sensitive information they handle, including data related to food safety and quality assurance.

• Universal Pure
• SOCRadar - Dark Web Profile: Play Ransomware
• Cyberint - Are They Really Playing? Get to Know Play Ransomware
• Proven Data - Play Ransomware
• RocketReach - Universal Pure Profile