Cyber Incident Victim: Anchor Industries
Date:
May 2025
Location:
United States of America
Summary
Anchor Industries experienced a ransomware attack attributed to the Play cybercrime group, prompting an ongoing investigation. The attackers employed a double-extortion tactic, encrypting systems and threatening to release stolen data, though the company stated compromised customer information was limited to publicly available details. The incident disrupted operations, requiring IT and cybersecurity experts for mitigation, while law enforcement involvement remained unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On Memorial Day weekend in late May 2025, Anchor Industries, an Evansville-based manufacturer of commercial tents, pool covers, awnings, and outdoor structures employing over 300 workers, suffered a cyberattack. The criminal group known as "Play" publicly claimed responsibility for the ransomware attack targeting the company. According to cybersecurity researchers and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Play ransomware actors employ a double-extortion model, infiltrating systems to encrypt critical files and databases while also exfiltrating data. This tactic locks the victim out of their systems and threatens public release of stolen information unless a ransom is paid. Play added details of the Anchor Industries attack to its dark web blog shortly after the incident. The group has a known history of targeting manufacturing firms, including a 2024 attack on Microchip Technology in Arizona. Anchor Industries confirmed the attack prompted an immediate "ongoing investigation" but declined to specify the breach's nature or operational impact.
Anchor Industries Vice President of Sales Christen Mogavero stated the company became aware of the incident during the Memorial Day weekend and promptly engaged information technology and cybersecurity experts to mitigate the impact. These experts were deployed on-site at the company's 362,000-square-foot production facility. While ransomware attacks typically involve demands for cryptocurrency payments in exchange for decryption keys and to prevent data leaks, Play's ransom notes reportedly omit initial demands and instructions, directing victims to contact the attackers via email instead. Anchor Industries did not report the incident to the Vanderburgh County Sheriff's Office. The FBI did not confirm an investigation but encouraged reporting cybercrime through the Internet Crime Complaint Center. Mogavero indicated that customer data impacted by the breach was believed to be limited to "publicly available" information. The company did not disclose whether a ransom was paid or provide details on the duration or full extent of operational disruption.