Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Threat actors have claimed a ransomware attack on a major supplier for the US Navy, Northrop Grumman, Boeing and more, having allegedly stolen company data.
Jamco Aerospace is a New York-based engineering and fabrication firm that specialises in crafting components for aerospace and aircraft manufacturers, including aircraft builders used by the US and other governments.
The company was listed on the ransomware site of Play Ransomware on Wednesday (6 August) last week, with a ransom payment deadline of Sunday, 10 August.
The group claims to have exfiltrated “private and personal confidential data, clients documents, budget, payroll, IDs, taxes, finance information, etc”. However, the group has not specified how much data it claims to have stolen.
With the deadline now having been reached, the group said it has published only some of the data and that it will publish the rest if Jamco Aerospace does not reach out.
At this stage, Jamco Aerospace has yet to acknowledge the cyber attack publicly. Cyber Daily has also not been able to verify the authenticity of the data posted by Play ransomware.
According to cyber security firm Rapid7’s quarterly report, Play ransomware has cemented itself as one of the most notorious ransomware gangs in current operation, listing the fourth most number of victims with 125, almost double the next largest group.
In total, the group has impacted roughly 900 organisations globally as of May 2025. In an updated joint advisory published by the US Critical Infrastructure and Security Agency (CISA) and FBI, alongside the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the group makes initial contact via both telephone and email.
“Each victim receives a unique @gmx.de or @web[.]de email for communications,” a 4 June update within the advisory said.
“A portion of victims are contacted via telephone and are threatened with the release of the stolen data and encouraged to pay the ransom.”
Play has also been observed, alongside other actors and access brokers, taking advantage of a vulnerability in the remote management tool SimpleHelp. CVE-2024-57727 was disclosed in January 2025 and has allowed many actors to achieve remote code execution across multiple US entities.
The hackers also go through the trouble of recompiling their ransomware binary after every attack in order to provide a unique hash for each network incursion, making it harder for security software to detect any malicious activity. We also know that Play has an ESXi variant of its malware.
“The ESXi variant of Play ransomware invokes shell commands specific to the ESXi environment to conduct tasks, including powering off all running virtual machines (VMs), listing machine names, and setting the welcome message of the ESXi interface to the campaign-specific ransom note,” the advisory said.
“The ransomware binary supports command line arguments; however, if no command line arguments are passed, the malware powers off all VMs and encrypts files related to VMs using randomly generated per-file keys.”
This variant is also recompiled following each attack.
Be the first to hear the latest developments in the cyber industry.
