RSP LLP Targeted in Ransomware Attack by Play Group

RSP LLP, a prominent Canadian firm of Chartered Professional Accountants and Business Advisors, has recently fallen victim to a ransomware attack orchestrated by the Play ransomware group. The attack has compromised a significant amount of sensitive data, including client documents, payroll records, and financial information.

About RSP LLP

RSP LLP, based in Vaughan, Ontario, Canada, was founded in 1969 and has established itself as a significant player in the accounting sector. The firm employs approximately 51 individuals and reported an annual revenue of around $11 million. RSP LLP offers a wide range of services, including individual and business tax services, auditing, bookkeeping, and strategic business consulting. The firm is known for its personalized service and innovative approach to accounting and business advisory services, helping clients navigate complex financial landscapes.

Attack Overview

The Play ransomware group has claimed responsibility for the attack on RSP LLP via their dark web leak site. The attackers have compromised a wide array of sensitive data, including private and personal confidential information, client documents, budgetary details, payroll records, accounting files, contracts, tax information, identification documents, and financial data. This breach has significant implications for RSP LLP and its clients, potentially exposing them to further risks and financial losses.

About the Play Ransomware Group

The Play ransomware group, also known as PlayCrypt, has been active since June 2022. Initially focusing on Latin America, the group has expanded its operations to North America, South America, and Europe. The group targets a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. Play ransomware is known for its sophisticated attack methods, including exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities.

Penetration Methods

Play ransomware employs various methods to gain entry into a network. These include exploiting RDP servers and FortiOS vulnerabilities, using valid accounts, and leveraging Microsoft Exchange vulnerabilities. Once inside, the ransomware executes its code using scheduled tasks and PsExec, and maintains persistence through similar methods. The group also uses tools like Mimikatz for privilege escalation and employs custom tools to enumerate users and computers on a compromised network.

Implications for RSP LLP

RSP LLP's focus on personalized service and its extensive experience in the industry make it a reputable entity within the accounting sector. However, the firm's reliance on sensitive client data and financial information makes it a prime target for ransomware attacks. The breach by the Play ransomware group underscores the importance of advanced cybersecurity measures to protect against such sophisticated threats.

Sources

• RSP LLP Official Website
• SOCRadar - Play Ransomware Profile
• Cyberint - Play Ransomware
• Proven Data - Play Ransomware
• RocketReach - RSP LLP Profile