Jamco Aerospace Inc., a commercial and military aircraft industrial parts supplier for the US Navy, Boeing, and Northrop Grumman, has been claimed by the Play ransomware group.
Headquartered in Long Island, New York, the engineering and fabrication company produces a full range of complex and precision-machined components and assemblies for some of the world’s largest aerospace and aircraft manufacturers.
Big name clients include Northrop Grumman, Spirit Aerospace, Boeing, Lockheed Martin, Middle River Aircraft, and many other smaller individual production facilities in the US.
Play posted the aerospace & defense supplier on its dark leak blog on Wednesday, along with several other victims, threatening to publish the company’s stolen data on August 10th – presumably if a ransom demand is not paid.
According to its website, Jamco Aerospace covers the entire manufacturing process, from bidding, engineering, fabrication, inspection, and shipping. It supplies parts ranging from “small turnings to large complex machined castings, as well as structural sheet metal assemblies for commercial and military aircraft. "
Aircraft components made and distributed by Jamco include power distribution boxes, nose landing gear door fairings, hull and tank selector valves, main landing gear, gear box assemblies, and fitting-wing fold joints, Bloomberg reports.
It's unclear if the purported ransomware attack has disrupted Jamco’s business operations. Still, Cybernews can confirm the company’s website, jamco-aerospace.com, although bare-bones and with a URL showing "not secure" in Google's web browser, appears to be loading normally.
Furthermore, Play did not reveal how much data it purportedly stole in the attack or provide any data samples.
The cybercriminal cartel claims to have exfiltrated a cache of sensitive files, listed as “private and personal confidential data, clients' documents, budget, payroll, accounting, taxes, IDs, finance information, etc.”
In a FAQ section on Play’s dark leak site, the ransomware gang states that it not only investigates and steals "all important, personal, private, compromising information, including databases and all valuable documents" from its victims but also encrypts their data, making it "inaccessible for use.”
The extortionists also claim to study a company’s “income, expenses, documents, reports, and more” before setting a “reasonably priced” ransom demand. In the case of non-payment, Play says it will “notify your partners and customers” before publishing the stolen data.
Aerospace sector has been targeted before
Founded in 1967 as Jamco Instruments, the company was purchased in 1984 by its present CEO, Dr. Jack Lee, who changed the name to Jamco Aerospace, Inc.
The company has no relation to the Japanese-owned Jamco Corp, the leading aviation industry manufacturer and supplier (Boeing, Airbus) of aircraft interiors and components.
Meantime, the aerospace and defense sector is no stranger to ransomware, mainly due to the treasure trove of sensitive information stored in the victim's network, including proprietary trade secrets, client information, and defense contracts, as well as the potential impact on supply chains.
In January, the INC Ransom group claimed responsibility for an attack on the DoD defense contractor Stark Aerospace, although the company never publicly confirmed a breach, while The Boeing Company confirmed operations were impacted after being hit by the LockBit gang in late 2023.
Cybernews has reached out Jamco Aerospace and is awaiting a response at the time of this report.
Play tops list of most active ransom gangs
The Play ransomware group is tracked as the third most active ransomware group in 2024, and again in the first half of 2025.
The seasoned cybercriminals have claimed over 800 victims since it was first observed in 2022. According to the Cybernews Ransomlooker monitoring tool, in the past 12 months, Play has carried out 350 attacks, mainly in the US, Canada, Latin America, and Europe.
Its most recent victims include the Chicago WFMT radio station just last month, the Ivy League partnered Study Hotels chain in April, and the popular Krispy Kreme doughnut shop chain in December 2024.
The suspected Russian-linked gang “employs a double-extortion model, encrypting systems after exfiltrating data and has impacted a wide range of businesses and critical infrastructure,” an FBI advisory from last December states.
Play is considered one of the first ransomware groups to use intermittent encryption, where only certain, fixed system segments are encrypted, according to Adlumin research.
The method allows for faster access and exfiltration of a victim's data, and it seems other notorious groups have since adopted the tactic, including ALPHV/BlackCat, DarkBit, and BianLian, the profile said.
As of last year, the gang was seen exploiting remote monitoring and management software (RMM), as well as leveraging a decades-old Fortinet firewall vulnerability.
In 2023, Play was behind the crippling month-long attack against the City of Oakland, California, the Palo Alto County Sheriff's office in Iowa, and the Donald W. Wyatt maximum security detention center in Rhode Island.
Other high-profile Play victims include the cloud computing company Rackspace, German hotel chain H-Hotels, and BMW France.
Your email address will not be published. Required fields are markedmarked