Ransomware Attack on Dimensional Merchandising by Play Ransomware Group

Dimensional Merchandising Inc. (DMI), a prominent contract manufacturer in the beauty and personal care industry, has recently fallen victim to a ransomware attack orchestrated by the Play ransomware group. The breach was discovered on September 14, 2024, and the extent of the data leak remains undetermined at this time.

About Dimensional Merchandising Inc.

Based in Wharton, New Jersey, Dimensional Merchandising Inc. (DMI) is a leading FDA-registered formulator and manufacturer of cosmetics, over-the-counter (OTC) pharmaceuticals, health and beauty aids, and personal care products. Established in 1973, DMI has positioned itself as a full-service partner for brands in the beauty industry, offering a comprehensive suite of services that include contract manufacturing, product development, and packaging services. The company employs approximately 201 to 500 employees and serves a diverse clientele, including well-known brands and startups.

One of DMI's core competencies is contract manufacturing, where it provides clients with access to a vast library of proprietary formulas. This enables customers to quickly enhance their product offerings and drive brand success. DMI's commitment to innovation is evident in its continuous investment in both human resources and technological advancements. The company also places a strong emphasis on quality systems and regulatory compliance, ensuring that all products adhere to global standards.

Attack Overview

The Play ransomware group, also known as PlayCrypt, has claimed responsibility for the attack on DMI. The group has been active since June 2022 and has targeted a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. Initially focused on Latin America, the group has since expanded its operations to North America, South America, and Europe.

Play ransomware uses various methods to gain entry into a network, including exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities. The group employs tools like Mimikatz to extract high-privilege credentials and escalate privileges, and uses custom tools to enumerate all users and computers on a compromised network. The ransomware executes its code using scheduled tasks and PsExec, and maintains persistence through similar methods.

Potential Vulnerabilities

DMI's extensive use of proprietary formulas and advanced technologies makes it a lucrative target for ransomware groups like Play. The company's commitment to innovation and continuous investment in technological advancements may have inadvertently exposed it to vulnerabilities that threat actors could exploit. Additionally, the company's focus on regulatory compliance and quality systems suggests a reliance on complex IT infrastructure, which could be susceptible to sophisticated cyberattacks.

About Play Ransomware Group

The Play ransomware group distinguishes itself by not including an initial ransom demand or payment instructions in its ransom notes. Instead, victims are directed to contact the threat actors via email. The group has impacted over 300 entities, including businesses and critical infrastructure across multiple regions. Play ransomware continues to evolve and adapt new tactics, techniques, and procedures to evade detection and cause widespread disruption.

Sources

• Dimensional Merchandising Inc. - Official Website
• SOCRadar - Dark Web Profile: Play Ransomware
• Cyberint - Get to Know Play Ransomware
• Proven Data - Play Ransomware