Play ransomware hackers claim attack on US manufacturer Microchip Technology

The Play ransomware gang has claimed responsibility for last week's attack on the American semiconductor manufacturer Microchip Technology.

The cybercrime group added Microchip Technology to its data leak site on Tuesday, according to several cybersecurity researchers. Play is known for using custom tools and executing double-extortion attacks, where it not only encrypts a victim’s files, but also threatens to release stolen data.

Microchip Technology said last week that intruders had disrupted “certain servers and some business operations.” Upon detecting the incident, the company isolated the affected systems, shut down some services and launched an investigation.

Microchip Technology did not respond to a request for comment about the Play gang's involvement in the attack. It manufactures products such as microcontrollers, embedded security devices, and radio frequency devices, selling them to companies in the automotive, industrial, aerospace, and defense industries. Its sales in 2024 reached $7.6 billion.

The Play group initially stated that it would give its victims 72 hours to pay a ransom before publishing stolen data.

“We know the timeline was extended much longer in this case since Play is just now claiming responsibility a full week after Microchip Technology reported the attack to the SEC [Securities and Exchange Commission],” said Kevin O’Connor, a researcher at the U.S.-based cybersecurity firm Adlumin.

“It’s not that unusual for ransomware gangs to go beyond the threatened release period, but it suggests that negotiations may have been taking place,” he told Recorded Future News.

According to Adlumin, the Play ransomware operation has grown considerably over the past year, likely due to its shift to an affiliate model — which can complicate attribution for an attack. 

“We haven’t seen anything yet indicating if it was the core group or its affiliates that impacted Microchip Technology,” O’Connor said.

Play ransomware was first detected in June 2022. According to an advisory by the Cybersecurity and Infrastructure Security Agency (CISA), the group encrypts systems after exfiltrating data and has impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia.

According to research published in July by the cybersecurity firm Trend Micro, most of the group’s attacks this year have been concentrated in the U.S.