Hariri Pontarini Architects Targeted by Play Ransomware Group

Hariri Pontarini Architects (HPA), a renowned Canadian architectural firm based in Toronto, has recently fallen victim to a ransomware attack orchestrated by the Play ransomware group. This breach has resulted in the unauthorized access and potential exfiltration of a wide array of sensitive data, posing significant risks to both the firm's operations and the privacy of its clients.

About Hariri Pontarini Architects

Established in 1994 by Siamak Hariri and David Pontarini, HPA has built a reputation for its commitment to design excellence and innovation. The firm employs approximately 150 professionals and engages in a collaborative approach that emphasizes the unique voices of its members. HPA's diverse portfolio includes cultural institutions, academic facilities, mixed-use developments, multi-unit residential buildings, healthcare facilities, and commercial spaces. Notable projects include the redesign of the Royal Ontario Museum’s Crystal and the award-winning healthcare design at the Princess Margaret Cancer Centre.

Attack Overview

The Play ransomware group has claimed responsibility for the attack on HPA via their dark web leak site. The breach has compromised a wide array of sensitive data, including private and personal confidential data, client documents, budgetary details, payroll records, accounting files, contracts, tax documents, identification information, and financial data. The extent of the data breach underscores the severity of the attack, highlighting significant risks to both the firm's operations and the privacy of its clients.

About the Play Ransomware Group

The Play ransomware group, also known as PlayCrypt, has been active since June 2022 and has been responsible for numerous high-profile attacks. Initially focused on Latin America, the group has expanded its operations to North America, South America, and Europe. The group targets a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure.

Attack Methods and Penetration

Play ransomware uses various methods to gain entry into a network, including exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities. The group also uses valid accounts, including VPN accounts that may have been reused or illicitly acquired. Once inside the network, the ransomware executes its code using scheduled tasks and PsExec, and maintains persistence through similar methods. The group employs tools like Mimikatz for privilege escalation and uses custom tools to enumerate users and computers on a compromised network.

Vulnerabilities and Impact

HPA's extensive use of digital tools and data storage makes it a prime target for ransomware attacks. The firm's commitment to innovation and design excellence involves handling large volumes of sensitive data, which, if compromised, can have severe repercussions. The attack on HPA highlights the growing threat of ransomware to businesses in the architectural and urban design sector, emphasizing the need for enhanced cybersecurity measures.

Sources

• Hariri Pontarini Architects
• SOCRadar - Play Ransomware
• Cyberint - Play Ransomware
• Proven Data - Play Ransomware
• Architizer - Hariri Pontarini