Ransomware Attack on Grid Subject Matter Experts by Play Ransomware Group

Grid Subject Matter Experts (GridSME), a prominent company in the Energy, Utilities & Waste sector, has recently fallen victim to a ransomware attack orchestrated by the Play ransomware group. The attack was first identified on August 21, and sensitive files were subsequently published on the dark web on August 26, 2024. This incident has raised significant concerns about the security of critical infrastructure in the energy sector.

About Grid Subject Matter Experts

GridSME, headquartered in Folsom, California, specializes in providing comprehensive solutions for the energy sector. The company focuses on integrating facilities into modern power grids, offering services in engineering, cybersecurity, compliance, and operations. With a team of registered professional engineers and seasoned experts, GridSME assists clients in navigating the complexities of the evolving energy landscape. The company employs approximately 59 individuals and reported an annual revenue of around $6.8 million.

What Makes GridSME Stand Out

GridSME is renowned for its tailored engineering solutions, which address the unique challenges faced by clients in the energy sector. Their cybersecurity team provides advanced solutions to enhance the reliability of projects and mitigate risks. Additionally, the company offers compliance support to help clients meet regulatory standards set by bodies such as the North American Electric Reliability Corporation (NERC) and the Electric Reliability Council of Texas (ERCOT). This combination of expertise and comprehensive services positions GridSME as a trusted partner in the energy sector.

Vulnerabilities and Attack Overview

The Play ransomware group, also known as PlayCrypt, has been active since June 2022 and has targeted various industries, including critical infrastructure. The group is known for exploiting vulnerabilities in RDP servers, FortiOS, and Microsoft Exchange, among others. In the case of GridSME, the exact method of penetration remains unclear, but it is likely that the group exploited known vulnerabilities or used valid accounts to gain initial access.

Once inside the network, Play ransomware typically uses scheduled tasks and PsExec for execution and persistence. The group also employs tools like Mimikatz for privilege escalation and disables antimalware solutions to evade detection. The attack on GridSME has garnered significant attention, with the dark web post detailing the breach receiving 550 views, indicating a high level of interest and potential risk of data exploitation.

About Play Ransomware Group

The Play ransomware group distinguishes itself by not including an initial ransom demand or payment instructions in its ransom notes. Instead, victims are directed to contact the threat actors via email. The group has impacted over 300 entities across multiple regions, including North America, South America, and Europe. Their dark web presence and data leak site serve as platforms for publishing information about their attacks and victims.

• GridSME - Grid Subject Matter Experts
• SOCRadar - Dark Web Profile: Play Ransomware
• Cyberint - Are They Really Playing? Get to Know Play Ransomware
• Proven Data - Play Ransomware