The Play ransomware group has claimed responsibility for a cyberattack on Krispy Kreme and is threatening to leak sensitive company data just days before Christmas. The multinational doughnut and coffeehouse chain confirmed that hackers initially breached its systems on November 29. Three weeks later, on December 21, Play announced it had stolen data from Krispy Kreme’s networks and plans to publish it. The ransomware group listed the company on its dark web leak site, claiming to have exfiltrated “private and personal confidential data, clients’ documents, budget, payroll, accounting, contracts, finance information, etc.” However, Play did not provide samples or specify the volume of stolen data, marking only “???” next to the data size in gigabytes.
Krispy Kreme acknowledged the breach in a filing with the U.S. Securities and Exchange Commission on December 11, noting disruptions to certain business operations, including online ordering systems, which were expected to remain offline during recovery efforts. As of the latest update, online ordering has been restored for most shops, with work ongoing to resolve the remaining issues. The company stated it is working with leading cybersecurity experts to investigate, contain, and remediate the attack. It is unclear if Krispy Kreme has been in contact with the Play group or whether any ransom demands have been discussed.
Play, currently ranked the third most active ransomware group of 2024, has reportedly carried out around 350 attacks this year, targeting organizations across the U.S., Canada, Latin America, and Europe. This accounts for nearly 19% of all ransomware attacks in 2024, trailing LockBit (30%, 519 attacks) and RansomHub (26%, 487 attacks). First observed two years ago, Play is suspected to have Russian ties and continues to employ a double-extortion model, encrypting victims’ systems after stealing data.
In 2023, Play was responsible for high-profile attacks on the City of Oakland, the Palo Alto County Sheriff’s Office, and the Donald W. Wyatt Detention Center, among others. The gang has been known to exploit vulnerabilities in remote monitoring and management (RMM) software and a legacy Fortinet firewall flaw. Other notable victims from last year include Rackspace, German hotel chain H-Hotels, and BMW France, underscoring the group’s global reach and disruptive capabilities.