Ransomware Attack on Policy Administration Solutions by Play Ransomware Group

Policy Administration Solutions (PAS), a specialized provider of automation solutions for the insurance industry, has recently fallen victim to a ransomware attack orchestrated by the Play ransomware group. The attack was first identified on August 21, and sensitive information was subsequently published on the dark web on August 26. The dark web post detailing the breach has garnered 308 views.

About Policy Administration Solutions

Founded in 1996 and headquartered in Manhasset, New York, PAS focuses on delivering advanced technology to insurance carriers, sureties, and large Managing General Agents (MGAs). The company offers a comprehensive suite of insurance policy administration software designed to streamline various business processes, including claims processing, policy management, and billing. PAS's solutions are built to accommodate the complexities of diverse insurance products, particularly in Property and Casualty (P&C) insurance.

What sets PAS apart is its configurability, allowing clients to tailor the software to meet specific business needs. The integration of artificial intelligence (AI) and API capabilities further enhances the adaptability of their solutions. The company employs a .NET MVC platform, ensuring stability and scalability, which are essential for handling the evolving demands of the insurance sector. PAS also provides consulting services, including training, documentation, and quality assurance.

Company Size and Revenue

PAS is a medium-sized company with 51-200 employees. Some sources specifically mention 56 employees. The company's revenue is reported to be in the range of "$1 Billion and Over," although this figure seems unusually high for a company of this size and may require further verification.

Attack Overview

The Play ransomware group, also known as PlayCrypt, has been active since June 2022 and has been responsible for numerous high-profile attacks. Initially focused on Latin America, the group has expanded its operations to North America, South America, and Europe. The group targets a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure.

Play ransomware uses various methods to gain entry into a network, including exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities. The group employs tools like Mimikatz for privilege escalation and uses custom tools to enumerate all users and computers on a compromised network. The ransomware executes its code using scheduled tasks and PsExec, and it maintains persistence through these methods as well.

Penetration and Impact

The Play ransomware group distinguishes itself by not including an initial ransom demand or payment instructions in its ransom notes. Instead, victims are directed to contact the threat actors via email. The group has impacted over 300 entities, including businesses and critical infrastructure across multiple regions. The attack on PAS has compromised sensitive information, which has been published on the dark web.

• Policy Administration Solutions
• SOCRadar - Play Ransomware
• Cyberint - Play Ransomware
• Proven Data - Play Ransomware
• Bloomberg - Policy Administration Solutions