The Play Ransomware Gang's Attack on Unico Data

The Play ransomware gang has attacked Unico Data. Unico Data designs IT solutions to facilitate the smooth operation of Swiss companies. Unico Data has 29 employees and is headquartered in Switzerland. Play published Unico Data's details to its dark web leak site on June 2nd, claiming it will publish all 2.8TB of company data by June 11th if the company fails to pay an unspecified ransom.

A message left on Unico Data's answering machine confirmed the attack, saying: "Unfortunately, we are currently affected by a cyberattack, which has led to a precautionary shutdown of all systems." The incident has had knock-on effects on other European companies, including Pathe, PB Swiss Tools, and Boes Group.

Background on Play Ransomware

Play ransomware (aka PlayCrypt) is a newer ransomware group that emerged in the summer of 2022 with high-profile attacks on the City of Oakland, Argentina's Judiciary, and German hotel chain H-Hotels. Play has similarities to Hive ransomware and is known to leverage tools like Cobalt Strike for post-compromise lateral movement and SystemBC RAT for persistence, as well as Mimikatz and living-off-the-land binaries (LOLBins) techniques. There is little information on how much Play demands for a ransom, but they have thus far made good on their threats to leak the data of those who refuse payment.