Play Ransomware Attack on Tri-State General Contractors

Incident Date: May 22, 2024

Attack Overview
VICTIM
Tri-state General Contractors
INDUSTRY
Construction
LOCATION
USA
ATTACKER
Play
FIRST REPORTED
May 22, 2024

Play Ransomware Attack on Tri-State General Contractors

Overview of the Attack

In May 2024, Tri-State General Contractors, a prominent US-based construction company, experienced a significant ransomware attack executed by the Play ransomware group. The attack specifically targeted the company's supply management website, leading to the encryption of critical data and disruption of their supply chain operations. This incident significantly impacted Tri-State's ability to manage and deliver construction products, showcasing the severe operational consequences of such cyberattacks.

About Tri-State General Contractors

Founded in 2008, Tri-State General Contractors specializes in commercial and residential construction projects, offering services such as general contracting, construction management, design-build, and pre-construction services. With a presence in multiple states including California, Arizona, Nevada, and Texas, Tri-State is known for its commitment to quality performance, exceptional results, and strong client relationships. The company prides itself on delivering projects "on time" and "on budget," focusing on customer satisfaction and building long-term client trust.

Company Profile

Tri-State General Contractors is a leading commercial general contractor and construction company with a substantial presence in the industry. The company employs a team of highly skilled professionals and maintains a strong leadership structure. Although exact revenue figures are not publicly disclosed, Tri-State's extensive operational scale and significant market presence underscore its prominence in the construction sector.

Details of the Ransomware Attack

The Play ransomware group, active since 2022, is known for its sophisticated and evolving tactics, particularly targeting Linux systems with a double-extortion model. This approach involves exfiltrating data before encrypting it, thereby increasing the pressure on victims to pay the ransom by threatening to release sensitive information publicly. In the case of Tri-State General Contractors, the attackers exploited vulnerabilities in public-facing applications and leveraged weaknesses in the company's cybersecurity infrastructure.

The Play ransomware actors are adept at disabling antivirus software and removing log files to evade detection. Their toolkit includes various legitimate applications repurposed for malicious activities, such as AdFind for querying Active Directory and GMER for disabling security software. This continuous refinement of their tactics, techniques, and procedures (TTPs) makes them a significant threat to organizations across various sectors.

Play Ransomware Group Profile

Initially associated with the Babuk ransomware code, the Play ransomware group has expanded its operations globally, targeting a wide range of sectors. They are particularly noted for exploiting vulnerabilities in Microsoft Exchange servers, such as the ProxyNotShell vulnerabilities. This method involves bypassing traditional security mitigations, making their attacks more effective and difficult to defend against.

Play ransomware actors employ a range of tools to gain initial access, move laterally within networks, and exfiltrate data. Their use of sophisticated techniques and continuous adaptation highlights the critical need for robust cybersecurity measures to mitigate such risks. The group's evolution from data theft to deploying cryptographic lockers underscores their growing sophistication and threat level.

Implications and Recommendations

The ransomware attack on Tri-State General Contractors underscores the urgent need for comprehensive cybersecurity measures, especially for companies managing sensitive data and critical operations. Implementing multifactor authentication, maintaining regular offline backups, and keeping software and systems up to date are essential practices to mitigate such risks. Furthermore, investing in advanced threat detection and response solutions can help organizations swiftly identify and neutralize potential threats.

Sources

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.