Cyber Incident Victim: Play
Date:
Dec 2022
Location:
Mexico
Summary
A ransomware group identified as Play targeted multiple entities, including the Congress of Jalisco and a major Argentinian retailer, encrypting critical systems and demanding payment for decryption keys. The legislative body experienced server encryption impacting administrative operations, while the retailer faced operational disruptions leading to manual invoicing and potential warranty complications for customers. Play threatened to publish sensitive data from the retailer, including employee documents and biometric information. Concurrently, other organizations reported cyber incidents around the same period, such as a Brazilian manufacturer isolating systems after an attack and a separate ransomware group leaking data from a Spanish city council. Investigators were assessing potential data exfiltration in several cases.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On November 27, 2022, Requena City Council in Valencia, Spain, experienced a cyberattack that encrypted user data, forcing system shutdowns. The BlackCat (ALPHV) ransomware group claimed responsibility, demanding $500,000 in Bitcoin. Municipal operations remained disrupted for 10 days, including payroll systems, resulting in partial salary payments to 200 officials. The council issued a formal resolution acknowledging the incident on November 28. BlackCat subsequently leaked stolen files containing municipal data. Separately, Automóvil Club Argentino disclosed a December 1 network intrusion that disrupted mechanical assistance, insurance, membership services, and gas station operations across Argentina. The organization restored mechanical services by December 3 and transitioned other systems from contingency to normal operations gradually, issuing public apologies for service interruptions.
Multiple ransomware incidents emerged around December 5. Argentina's National Institute of Statistics and Census (INDEC) reported a virus affecting its hosting server and user validation system, forcing website takedown. Investigation revealed malware activation during a scheduled backup, which encrypted the virtual machine handling internal authentication. INDEC disconnected all servers preemptively before restoring services after security testing on December 6. Concurrently, Brazil-based automotive manufacturer Iochpe-Maxion experienced a cyberattack causing system unavailability at domestic and international facilities. The company implemented security protocols, isolated affected systems, and engaged specialists to investigate the incident's scope. On December 6, Mexico's Congress of Jalisco confirmed a Play ransomware attack encrypting 14 servers containing legislative, legal, and administrative data. Officials confirmed extortion attempts but could not verify data exfiltration or deletion. Play did not list the breach on its leak site initially. Argentinian retailer Cetrogar suffered early December ransomware impacts disabling point-of-sale systems, forcing staff to issue handwritten invoices—a practice raising warranty and tax compliance concerns. On December 9, Play ransomware group added an unnamed Argentinian victim matching Cetrogar's profile to its leak site, threatening to publish employee documents, passports, fingerprints, and agreements on December 17.