Ransomware Attack on Adina Design by Play Ransomware Group

Adina Design, a creative agency specializing in branding, design, and digital solutions, has recently fallen victim to a ransomware attack orchestrated by the notorious Play ransomware group. This breach has compromised a wide array of sensitive information, including private and personal data, client documents, budget details, payroll records, accounting files, contracts, tax information, identification documents, and financial data.

About Adina Design

Adina Design is a small to medium-sized enterprise known for its commitment to creating unique, tailored solutions for its clients. The agency emphasizes a collaborative approach that integrates client feedback throughout the design process, allowing them to deliver high-quality, impactful designs that resonate with target audiences. This focus on customization and client involvement distinguishes Adina Design in the competitive landscape of design and branding services.

Attack Overview

The Play ransomware group, also known as PlayCrypt, has been active since June 2022 and has targeted a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure. The group uses various methods to gain entry into networks, including exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities. They execute their code using scheduled tasks and PsExec, and maintain persistence through similar methods.

Details of the Attack

The attack on Adina Design involved the use of custom tools to enumerate all users and computers on the compromised network and copy files from the Volume Shadow Copy Service (VSS). The ransomware group employs tools to disable antimalware and monitoring solutions, making it difficult for the victim to detect and mitigate the attack. The breach has resulted in the exposure of sensitive information, which could have severe implications for Adina Design and its clients.

Play Ransomware Group

The Play ransomware group distinguishes itself by not including an initial ransom demand or payment instructions in its ransom notes. Instead, victims are directed to contact the threat actors via email. The group has impacted over 300 entities, including businesses and critical infrastructure across multiple regions. Their dark web presence includes a data leak site where they post information about their attacks and victims.

Penetration Methods

Play ransomware could have penetrated Adina Design's systems through various vulnerabilities, including reused or illicitly acquired VPN accounts, and exploiting known vulnerabilities in RDP servers and Microsoft Exchange. The group's use of tools like Mimikatz to extract high-privilege credentials and escalate privileges further facilitated their access to sensitive data.

Sources

• Adina Reyter
• SOCRadar
• Cyberint
• Proven Data