In a resurgence of cyber threats, the notorious PLAY Ransomware gang has once again captured headlines. Following an update from the FBI, which identified the Play ransomware gang as responsible for targeting more than 300 organizations, the gang is now making waves on Google for its latest breach involving the leakage of over 65,000 documents from Swiss government authorities.
The Switzerland National Cyber Security Centre (NCSC) has confirmed the incident, acknowledging the hackers’ release of sensitive data. According to reports, the Play ransomware group infiltrated the computer network of Xplain, a technology service provider, in May 2023, accessing substantial datasets from its servers.
In a bid to assert their cyber prowess, the group initially released a fraction of the stolen data—approximately 900GB of files—on June 1st, 2023. However, as their ransom demands went unmet, they proceeded to leak and vend the entirety of the compromised information to interested third parties. Among the leaked data are 1.3 million files containing sensitive information from entities such as the federal department of justice and police, the State Secretariat for Migration, and the Internal IT services associated with the Federal Office of the Police.
The leaked data encompasses passwords, technical documents, personal details including names, email addresses, phone numbers, and physical addresses, as well as classified files pertaining to certain state missions. In response to the breach, the Swiss government launched a thorough investigation in August 2023. However, grappling with vast amounts of unstructured data, officials faced significant challenges in deciphering the extent of the cyber incident.
The modus operandi of the Play Ransomware group typically involves hacking into corporate networks and demanding ransom for the decryption of files. However, since September 2022, they have escalated their tactics to include double extortion attacks. In these instances, they not only encrypt files but also threaten to expose sensitive information if their ransom demands are not met.
In a concerning development, the FBI’s November 2022 report highlighted the group’s shift towards targeting government networks. Furthermore, it suggested that the group’s primary objective has evolved to gathering intelligence, with the intention of selling the acquired data to state-funded criminal organizations operating on behalf of adversarial nations such as North Korea, Iran, China, and Russia.
