Unveiling the Play Ransomware Group: Canatal Industries' Data Breach

Incident Date:

May 2, 2024

World map



Unveiling the Play Ransomware Group: Canatal Industries' Data Breach


Canatal Industries




Quebec, Canada

, Canada

First Reported

May 2, 2024

Ransomware Attack on Canatal Industries by Play Group

Company Profile

Canatal Industries, a prominent player in the structural steel fabrication sector, is known for its precision and reliability in delivering complex steel structures. Based in Canada, the company employs 525 individuals and boasts an annual revenue of $31.6 million. With over 2,000 projects under its belt, Canatal is recognized for its ability to meet stringent deadlines and customize projects to client specifications, making it a leader in its field.

Details of the Ransomware Attack

The Play ransomware group, known for its aggressive tactics and focus on Linux systems, has claimed responsibility for the recent cyber attack on Canatal Industries. The attack led to the exfiltration of approximately 50 GB of sensitive data, including client documents, employee payroll information, contracts, and financial records. This data was subsequently leaked on Canatal's own website, posing significant reputational and financial risks to the company.

Analysis of Play Ransomware Group

The Play group, a derivative of the Babuk ransomware family, is notorious for its focus on Linux-based systems, particularly targeting ESXi servers. The group's operational tactics include the use of sophisticated encryption methods and detailed ransom notes that guide victims through the payment process. Their method of operation often involves initial data theft followed by file encryption, maximizing pressure on the victims to comply with their demands.

Potential Vulnerabilities and Entry Points

Canatal Industries' reliance on digital technologies for project management and data storage may have exposed them to increased cybersecurity risks. The specific entry point for the Play group could have involved exploiting vulnerabilities in network security, possibly through phishing attacks or unpatched systems, which are common tactics used by ransomware operators to gain initial access to corporate networks.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.