The cyber cartel has just added an unlikely victim to its growing hitlist – a California-based horse sport equipment giant.
Professional’s Choice Sports Medicine Products, Inc. appeared on Play ransomware’s dark web site, where the group lists its newest victims. The post appeared on the 4th of November, claiming that the gang has exfiltrated the equine sportswear giant’s data.
According to the claims on the dark web, the threat actors have “private and personal confidential data, clients' documents, budget, payroll, IDs, taxes, and finance information.”
Professional’s Choice Sports Medicine Products was founded in 1976 and specializes in manufacturing and selling high-quality equine sports medicine and performance products. It is also known for inventing the original Sports Medicine Boot. Headquartered in California, the company boasts an annual revenue of around $65 million.
The Play gang’s website claims that there’s just one day left until it publicly releases the data. This is a technique often used by ransomware gangs to blackmail victims into paying the ransom. If the victim refuses to pay, the data is posted on the website for anyone to download.
According to an FBI bulletin on the group, Play ransomware actors use a double-extortion model, which means that the victims are hit twice. First, they demand a payment to receive the decryption key for the encrypted data. Then, attackers demand a second payment for not leaking or selling the stolen data.
Cybernews has reached out to the company for clarification, but a response has yet to be received.
Who is the Play ransomware gang?
The gang, first seen two years ago, is suspected to be Russian-linked.
According to Cybernews’s dark web tracker, Ransomlooker, the same gang has already listed 964 victims and has impacted a wide range of businesses and critical infrastructure.
This year, the cartel targeted GrammaTech, a US-based cybersecurity research outfit that frequently works with US government bodies such as DARPA, the Department of War (DoW), and other key institutions.
Another notable victim claimed by the gang is Jamco Aerospace Inc., a supplier of industrial parts for commercial and military aircraft to the US Navy, Boeing, and Northrop Grumman.
The gang claimed to have exfiltrated a cache of sensitive files, listed as “private and personal confidential data, clients' documents, budget, payroll, accounting, taxes, IDs, finance information, etc.”In May, the gang claimed a hotel chain serving Yale’s campuses.
In July, a well-known Chicago-based radio station, WFMT, was also allegedly breached by the hacker group. The attackers claimed they took a trove of sensitive personal and business information.
Last year, the gang was responsible for an attack against the multinational doughnut and coffeehouse chain Krispy Kreme.
In 2023, Play was behind the crippling month-long attack against the City of Oakland, California, the Palo Alto County Sheriff's office in Iowa, and the Donald W. Wyatt maximum security detention center in Rhode Island.
Play ransomware also claimed to have breached BMW France.
According to an Adlumin profile, Play is thought to be one of the first ransomware groups to use intermittent encryption, in which only certain fixed segments of a system are encrypted.
The method allows for faster access and exfiltration of a victim's data. It seems that other notorious groups have since adopted the tactic, including ALPHV/BlackCat, DarkBit, and BianLian.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked