Ransomware Attack on InteriorWorx Commercial Flooring by Play Group

InteriorWorx Commercial Flooring, a prominent player in the commercial flooring industry, has recently been targeted by the Play ransomware group. The attack, discovered on September 30, has raised concerns about the security measures in place at the company, which is known for its specialized flooring solutions tailored to various commercial sectors.

Company Profile and Industry Standing

Based in Tempe, Arizona, InteriorWorx Commercial Flooring, operating under the registered name ReSource Arizona LLC, has over 35 years of experience in the construction sector. The company employs between 51 to 100 individuals and generates an estimated annual revenue of $5.1 million. InteriorWorx is distinguished by its collaborative approach, offering expert consultation and a wide range of flooring solutions, including resilient flooring, concrete finishing, and ceramic tiling. Their commitment to understanding the unique needs of different commercial environments, such as healthcare and education, sets them apart in the industry.

Details of the Ransomware Attack

The Play ransomware group, active since June 2022, has claimed responsibility for the attack on InteriorWorx. Known for targeting diverse industries, including construction, the group has expanded its operations across North America, South America, and Europe. The attack on InteriorWorx highlights the vulnerabilities that construction companies face, particularly those with significant digital footprints and reliance on networked systems for project management and client interactions.

Play Ransomware Group's Modus Operandi

Play ransomware is notorious for its sophisticated attack methods, often exploiting vulnerabilities in RDP servers, FortiOS, and Microsoft Exchange. The group uses tools like Mimikatz for privilege escalation and employs custom tools to enumerate network users and computers. Their attacks are characterized by the use of scheduled tasks and PsExec for persistence, and they often disable antimalware solutions to evade detection. Unlike typical ransomware groups, Play does not include an initial ransom demand in their notes, directing victims to contact them via email instead.

Potential Vulnerabilities and Impact

The attack on InteriorWorx underscores the importance of effective cybersecurity measures in the construction sector. Companies like InteriorWorx, which rely heavily on digital systems for project management and client engagement, are particularly vulnerable to ransomware attacks. The breach's impact on InteriorWorx's operations and client data remains to be fully assessed, but it serves as a stark reminder of the evolving threat landscape faced by businesses today.

Sources

• InteriorWorx Commercial Flooring
• SOCRadar - Play Ransomware
• Cyberint - Play Ransomware
• Proven Data - Play Ransomware
• Procore - InteriorWorx