Ransomware Attack on PreCom by Play Ransomware Group

On August 27, PreCom, a communications infrastructure company based in Boise, Idaho, discovered it had fallen victim to a ransomware attack orchestrated by the Play ransomware group. This incident has caused significant operational disruptions, and the extent of the data leak remains unknown as the company works diligently to assess the full impact and restore its services.

About PreCom

PreCom, established in 1993, specializes in providing comprehensive technology solutions throughout the Mountain West region. With over 80 years of combined experience in communications cabling, the company focuses on delivering high-quality services to both public and private sector organizations. Their offerings include structured cabling, fiber optic cabling, security systems, and various networking solutions designed to enhance connectivity and safety for their clients. PreCom's client-centered approach ensures that each project is tailored to meet specific needs while adhering to budgetary constraints. The company has earned a strong reputation in the Treasure Valley for exceptional customer service and ethical business practices.

Attack Overview

The ransomware attack on PreCom has disrupted its operations significantly. The company, known for its precision and attention to detail in managing complex and large-scale projects, such as the installation of security camera systems at the Boise Airport and access control systems for various facilities, is now grappling with the aftermath of this cyber incident. The attack has highlighted vulnerabilities in PreCom's cybersecurity measures, making it a target for sophisticated threat actors like the Play ransomware group.

About Play Ransomware Group

The Play ransomware group, also known as PlayCrypt, has been active since June 2022 and has been responsible for numerous high-profile attacks. Initially focusing on Latin America, the group has expanded its operations to North America, South America, and Europe. Play ransomware targets a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. The group distinguishes itself by using various methods to gain entry into networks, such as exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities. They employ tools like Mimikatz for privilege escalation and custom tools to enumerate users and computers on compromised networks.

Penetration Methods

Play ransomware uses a combination of sophisticated techniques to penetrate company systems. They exploit vulnerabilities in RDP servers and FortiOS, use valid accounts, and leverage Microsoft Exchange vulnerabilities. Once inside, they execute their code using scheduled tasks and PsExec, maintain persistence through scheduled tasks, and escalate privileges using tools like Mimikatz. The group also employs tools to disable antimalware and monitoring solutions, making it challenging for companies to detect and mitigate the attack promptly.

• PreCom Inc
• SOCRadar - Play Ransomware
• Cyberint - Play Ransomware
• Symantec - Play Ransomware
• Proven Data - Play Ransomware