Hackers leak alleged US gas station memos threatening staff

Published: 3 November 2025
SuperQuik ransomware attack

Super Quik, a US regional gas station chain, has been hit by Russia-linked attackers, who leaked security camera footage and a tranche of internal documents on the dark web.

Super Quik, a US convenience and gas station chain, has surfaced on Play ransomware’s dark web blog, the group’s public scoreboard of new victims. Posted on November 1st, the entry claims that the hackers exfiltrated company data.

Super Quik operates in Kentucky, Ohio, West Virginia, and Florida, boasting an annual revenue of $124.8 million.

ADVERTISEMENT

Ransomware gangs often list companies on their websites as a tactic to muscle companies into paying a ransom.

Play, the Russia-linked threat actor, is known to employ the double extortion technique, where a payment is demanded for both the decryption keys and the non-exploitation of stolen data.

Super Quik data leak
Screenshot of the gang's website on the dark web

In the case of Super Quik, it’s likely that the company ignored the attackers’ demands, and a downloadable link to the stolen dataset was posted on the gang's website.

Cybernews researchers have investigated the data samples reachable via the posted link. The entire posted dataset is around 5.5GB and contains various sensitive documents.

What data was leaked?

  • A collection of financial reports, including daily sales, profit reports, and balance sheets outlining product categories, earnings by category, and performance comparisons over time
  • Invoices of purchases made by the company, revealing tech gear and maintenance costs
  • Brief clips of surveillance video footage of inside and outside of petrol stations, where the faces of workers and customers are seen
  • Various product photos, likely ready to be uploaded to the company’s website
  • Payroll change notice, including employee names and their salary rates
  • Documents of renovation plans include employee names and contact information
  • Documents of evaluation criteria for working cashiers, employee training
  • Internal workplace policies, some of which have threatening language towards the workers
  • Templates of internal documents, payroll change, and employment application

If the data is legitimate, it might put the company at risk of digital exploitation. Exposed financial reports and invoices could reveal business intelligence details, supplier pricing, and infrastructure details that could be exploited by competitors.

ADVERTISEMENT

“Surveillance video clips can expose blind spots in the store. Showing employees' and customers' faces creates privacy and legal concerns for the people present,” said Cybernews researchers.

Additionally, payroll notices and renovation plans that expose names, salaries, and contact information increase the risks of identity theft and social engineering attacks.

Templates of internal documents could be useful to attackers to make convincing scams.“Internal documents and evaluations containing inappropriate or threatening language could damage the company’s public image,” our researchers explained.

Cybernews has contacted the company, but a response has yet to be received.

Super Quik data leak
Leaked data.

Who is the Play ransomware gang?

The gang, first seen two years ago, is suspected to be Russia-linked.

According to Cybernews’s dark web tracker, Ransomlooker, the same gang has already listed 964 victims and has impacted a wide range of businesses and critical infrastructure.

This year, the cartel targeted GrammaTech, a US-based cybersecurity research outfit. The company frequently works with US government bodies such as DARPA, the Department of War (DoW), and other key institutions.

Another notable victim claimed by the gang is Jamco Aerospace Inc., a supplier of industrial parts for commercial and military aircraft to the US Navy, Boeing, and Northrop Grumman.

ADVERTISEMENT
jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The gang claimed to have exfiltrated a cache of sensitive files, listed as “private and personal confidential data, clients' documents, budget, payroll, accounting, taxes, IDs, finance information, etc.”In May, the gang claimed a hotel chain serving Yale’s campuses.

In July, a well-known Chicago-based radio station, WFMT, was also allegedly breached by the hacker group. The attackers claimed that they took a trove of sensitive personal and business information.

Last year, the gang was responsible for an attack against the multinational doughnut and coffeehouse chain Krispy Kreme.

In 2023, Play was behind the crippling month-long attack against the City of Oakland, California, the Palo Alto County Sheriff's office in Iowa, and the Donald W. Wyatt maximum security detention center in Rhode Island.

Super Quik data leak
Leaked data.

Play ransomware also claimed to have breached BMW France.

According to an Adlumin profile, Play is thought to be one of the first ransomware groups to use intermittent encryption, in which only certain fixed segments of a system are encrypted.

The method allows for faster access and exfiltration of a victim's data. It appears that other notorious groups have since adopted this tactic, including ALPHV/BlackCat, DarkBit, and BianLian.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT