Ransomware Attack on Credible Group by Play Ransomware

On August 12, 2024, Credible Group, a renowned Canadian furniture design and manufacturing company, became the latest victim of a ransomware attack orchestrated by the Play ransomware group. This incident has compromised a significant amount of sensitive information, including private and personal confidential data, client documents, budget details, payroll records, accounting information, contracts, tax documents, identification details, and financial information.

About Credible Group

Founded in 1996 by Anthony Marcucci, Credible Group has grown from a small garage operation to a recognized leader in the furniture industry. The company employs over 300 skilled designers and artisans at its 100,000 square foot facility in Canada. Credible Group is known for its commitment to craftsmanship and quality, producing durable and aesthetically appealing furniture pieces. Their clientele includes prestigious organizations such as the United Nations and luxury hotels on the Las Vegas Strip.

Attack Overview

The ransomware attack on Credible Group was discovered on August 12, 2024. The Play ransomware group, also known as PlayCrypt, claimed responsibility for the attack via their dark web leak site. The breach compromised a wide array of sensitive information, although the exact size of the data leak remains unknown. The attack has raised significant concerns about the security measures in place at Credible Group, given the extensive nature of the compromised data.

About Play Ransomware Group

The Play ransomware group has been active since June 2022 and has targeted a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. The group is known for exploiting vulnerabilities in RDP servers, FortiOS, and Microsoft Exchange, among others. They use tools like Mimikatz for privilege escalation and employ custom tools to enumerate users and computers on compromised networks.

Penetration Methods

Play ransomware typically gains initial access through exploiting vulnerabilities in RDP servers and Microsoft Exchange, as well as using valid accounts, including VPN accounts. They execute their code using scheduled tasks and PsExec, and maintain persistence through similar methods. The group is adept at evading defenses by disabling antimalware and monitoring solutions using tools like Process Hacker and GMER.

Impact on Credible Group

The attack on Credible Group has not only compromised sensitive data but also highlighted potential vulnerabilities in the company's cybersecurity measures. Given the company's prominence in the furniture industry and its extensive client base, the breach could have far-reaching implications. The incident underscores the importance of vigilant cybersecurity practices, especially for companies handling sensitive and confidential information.

Sources

• Credible Group
• SOCRadar - Play Ransomware
• Cyberint - Play Ransomware
• Proven Data - Play Ransomware