Ransomware Attack on Southeast Cooler by Play Ransomware Group

Southeast Cooler, a prominent manufacturer of commercial refrigeration equipment, has recently fallen victim to a ransomware attack orchestrated by the Play ransomware group. This breach has resulted in the unauthorized access and potential exfiltration of a wide array of sensitive data, posing significant risks to the company's operations and the privacy of its clients.

About Southeast Cooler

Established nearly three decades ago, Southeast Cooler has evolved from a small regional player to a significant global provider in the refrigeration industry. The company specializes in producing premium walk-in coolers, walk-in freezers, and combination coolers. Their manufacturing facility, located in Lithia Springs, Georgia, spans over 140,000 square feet and is equipped with advanced machinery and technology to enhance production efficiency and product quality. With a dedicated team of over 100 employees, Southeast Cooler has made significant investments in its workforce and manufacturing capabilities, enabling it to maintain a competitive edge within the industry.

Attack Overview

The ransomware attack on Southeast Cooler has led to the compromise of various types of sensitive data, including private and personal confidential data, client documents, budgetary details, payroll records, accounting files, contracts, tax documents, identification information, and financial data. The extent of the data breach underscores the severity of the attack, highlighting significant risks to both the company's operations and the privacy of its clients.

About Play Ransomware Group

The Play ransomware group, also known as PlayCrypt, has been active since June 2022 and has been responsible for numerous high-profile attacks. Initially focused on Latin America, the group has expanded its operations to North America, South America, and Europe. Play ransomware targets a diverse range of industries, including IT, transportation, construction, materials, government entities, and critical infrastructure.

Attack Methods

Play ransomware employs various methods to gain entry into a network, including exploiting RDP servers, FortiOS vulnerabilities, and Microsoft Exchange vulnerabilities. The group uses tools like Mimikatz to extract high-privilege credentials and escalate privileges. They also employ tools to disable antimalware and monitoring solutions, such as Process Hacker, GMER, and IOBit. The ransomware executes its code using scheduled tasks and PsExec, and it maintains persistence on compromised systems through these methods.

Penetration of Southeast Cooler's Systems

Given Southeast Cooler's reliance on advanced technology and a relatively small team, the company may have been vulnerable to targeted attacks exploiting specific software vulnerabilities or weak points in their network security. The Play ransomware group likely leveraged these vulnerabilities to gain unauthorized access and deploy their ransomware, leading to the significant data breach.

Sources

• Southeast Cooler
• SOCRadar - Play Ransomware
• Cyberint - Play Ransomware
• Proven Data - Play Ransomware
• Explorium - Southeast Cooler