Play Ransomware Threatens New York Sports Clubs With Stolen Tax, Client, and Personal Data

• The Play Ransomware group posted about extorting the New York Sports Clubs on its dark web portal
• They allegedly have access to IDs, client data, and financial information
• The deadline of 14 April has been extended to the target for the ransom payment

The New York Sports Clubs (NYSC) was allegedly impacted by a cyber attack, as claimed by the Play ransomware group. Play mentioned having private and confidential data, including IDs and client information, from the security incident.

They also allegedly have details about NYSC’s budget, payroll, accounting, and taxes. Not much has been disclosed about the amount of data exfiltrated or the attack vector.

Based on threat intelligence reports by HackManac, which maintains a repository of cyber attacks, Play posted about the NYSC data breach and placed a ransom deadline of April 14.

The NYSC is operated by the Town Sports International Holdings (TSI), along with Palm Beach Sports Club, Washington Sports Clubs, and Boston Sports Clubs. 

It is not clear if the hackers managed to steal the data from the NYSC or are reselling previously exfiltrated data. Depending upon unauthorized access gained by the threat actors, the possibility of moving laterally across other systems could not be completely denied.

The fitness centers have not made any official comments on the recent claims. We approached them for comments and will update this report upon receiving a response.

America’s cyber defense agency CISA issued an advisory alerting about the Play group that has targeted businesses and critical infrastructure to extort money. The group demands a ransom by guaranteeing the secrecy of the deal.

Like several ransomware members, Play gains initial access via valid account details. It is not uncommon for cybercriminals to find where on the dark web marketplaces they can buy login credentials. They have also been known to launch cyber attacks together with other groups and share infrastructure. 

They exploit vulnerabilities in Microsoft and FortiOS to access victim networks. To prevent falling victim to the group's tactics, CISA urged users to implement a recovery plan that involves retaining copies of data to prevent critical data loss.

Other practices involved filtering network traffic to detect and stop unknown or suspicious account access.