Manufacturing Mayhem: A Ransomware Rampage


July 13, 2023

World map

In recent days, the manufacturing sector has become a hotbed of ransomware activity, with attacks on M&M Industries, ITW Food Equipment Group, and Intoximeters by the BlackBasta, BlackCat/ALPHV, and Play ransomware gangs respectively.

These events underline a worrying trend: cybercriminals are increasingly targeting the manufacturing industry, leveraging their technical prowess to exploit vulnerabilities and disrupt operations.

BlackBasta's Blow on M&M Industries

On June 24, 2023, the BlackBasta ransomware gang attacked M&M Industries, a Tennessee-based plastic packaging manufacturer. Displaying their catch on their data leak site a day prior, BlackBasta claimed to have exfiltrated financial documents from M&M Industries, even going as far as to publish a 9% sample of the stolen data.

BlackBasta, a Ransomware-as-a-Service (RaaS) outfit believed to be a revival of the notorious Conti and REvil groups, has been active since early 2022. Despite their recent emergence, they have quickly gained notoriety for their attacks on various sectors, including manufacturing, transportation, and construction.

Their techniques are highly sophisticated, infecting both Windows and Linux systems by exploiting vulnerabilities in VMware ESXi. Ransom demands are reportedly as high as $2 million, which, coupled with their frequent attacks, makes them a significant threat.

ITW Food Equipment Group Faces BlackCat/ALPHV

Days later, on June 28, ITW Food Equipment Group, a manufacturer of food equipment based in Illinois, was targeted by the BlackCat/ALPHV ransomware gang. Claiming to have stolen a massive 701GB of internal company data, the gang posted screenshots of the exfiltrated Personally Identifiable Information (PII) on their leak site.

BlackCat/ALPHV, which emerged in late 2021, utilizes a robust RaaS platform that uses AES and RSA encryption methods to encrypt data. They are known to disable security tools, evade analysis, and exfiltrate data prior to ransomware execution, including data from cloud-based deployments.

Ransom demands range from $400,000 to $3 million but can exceed $5 million. Their affinity for the RUST programming language, a secure language known for concurrent processing performance, has earned them a unique place in the ransomware ecosystem.

Play Takes on Intoximeters

Also on June 28, the Play ransomware gang turned their attention to Intoximeters, a breath alcohol tester manufacturer based in Missouri. Threatening to publish all stolen data by July 3 if the ransom isn't paid, Play posted Intoximeters to their data leak site.

Play, also known as PlayCrypt, emerged in the summer of 2022, initially grabbing headlines with high-profile attacks on the City of Oakland, Argentina's Judiciary, and German hotel chain H-Hotels. This new breed of cybercriminals utilizes a range of tools, including Cobalt Strike and SystemBC RAT, for lateral movement and persistence, and employs living-off-the-land binaries (LOLBins) techniques.

Play is also known to exploit Exchange vulnerability (CVE-2022-41080) and ProxyNotShell exploit (CVE-2022-41082) to execute code on systems remotely.

The Rising Tide

This spate of attacks underscores the escalating cybersecurity threat that the manufacturing industry faces. Given the complexity and importance of their operations, these companies must invest heavily in cyber resilience. It is critical that organizations prioritize the identification and remediation of vulnerabilities, incorporate robust backup and recovery plans, and ensure regular employee training in cybersecurity best practices.

Indeed, these attacks serve as a stark reminder: in an age where data is as valuable as any physical resource, a resilient cybersecurity infrastructure is not a luxury, but a necessity. As cybercriminals continue to evolve their strategies and methodologies, the manufacturing industry must rise to meet these challenges head-on. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.