Play Ransomware Targets Jamco Aerospace, Threatens Data Leak
Jamco Aerospace, a New York-based engineering firm supplying critical components to aerospace and defense manufacturers including U.S. government contractors has been listed as a victim of the Play ransomware group. The attackers posted the company’s name on their dark web leak site on Wednesday, August 6, setting a ransom deadline of Sunday, August 10.
Play claims to have exfiltrated sensitive data, including private and personal records, client documents, payroll, financial information, IDs, and tax files, though the exact volume of stolen data remains unspecified. After the deadline passed, the group released a portion of the data and warned that the rest would be published unless Jamco Aerospace engaged with them. As of now, the company has not publicly acknowledged the attack, and the authenticity of the leaked data has not been independently verified.
Play ransomware has emerged as one of the most active threat groups, ranking fourth in victim count with 125 reported attacks in a recent quarter nearly double the next most prolific gang. Since May 2025, the group has compromised roughly 900 organizations globally, according to a joint advisory from CISA, the FBI, and Australia’s ACSC. Attackers typically initiate contact via unique @gmx.de or @web.de email addresses, with some victims also receiving phone calls pressuring them to pay.
The group has exploited CVE-2024-57727, a critical vulnerability in SimpleHelp, a remote management tool, to gain initial access. Once inside a network, Play deploys custom-compiled ransomware binaries for each attack, altering file hashes to evade detection. Their malware includes an ESXi variant that shuts down virtual machines, lists active systems, and encrypts VM-related files using per-file encryption keys. The ransomware also modifies the ESXi welcome message to display the attackers’ demands.
With no public response from Jamco Aerospace, the full extent of the breach and its potential impact on aerospace supply chains remains unclear.
Intrex Aerospace cybersecurity rating report: https://www.rankiteo.com/company/intrex-aerospace
"id": "INT1775190472",
"linkid": "intrex-aerospace",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Aerospace and defense',
'location': 'New York, USA',
'name': 'Jamco Aerospace',
'type': 'Engineering firm'}],
'attack_vector': 'Exploitation of CVE-2024-57727 in SimpleHelp remote '
'management tool',
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Private and personal records',
'Client documents',
'Payroll',
'Financial information',
'IDs',
'Tax files']},
'date_detected': '2025-08-06',
'date_publicly_disclosed': '2025-08-06',
'description': 'Jamco Aerospace, a New York-based engineering firm supplying '
'critical components to aerospace and defense manufacturers '
'including U.S. government contractors, has been listed as a '
'victim of the Play ransomware group. The attackers posted the '
'company’s name on their dark web leak site on Wednesday, '
'August 6, setting a ransom deadline of Sunday, August 10. '
'Play claims to have exfiltrated sensitive data, including '
'private and personal records, client documents, payroll, '
'financial information, IDs, and tax files. After the deadline '
'passed, the group released a portion of the data and warned '
'that the rest would be published unless Jamco Aerospace '
'engaged with them. The company has not publicly acknowledged '
'the attack, and the authenticity of the leaked data has not '
'been independently verified.',
'impact': {'data_compromised': 'Private and personal records, client '
'documents, payroll, financial information, '
'IDs, tax files',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': 'ESXi virtual machines, VM-related files'},
'initial_access_broker': {'entry_point': 'Exploitation of CVE-2024-57727 in '
'SimpleHelp'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain, data extortion',
'post_incident_analysis': {'root_causes': 'Exploitation of unpatched '
'vulnerability (CVE-2024-57727)'},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Play'},
'references': [{'date_accessed': '2025-08-06',
'source': 'Play ransomware dark web leak site'},
{'source': 'Joint advisory from CISA, FBI, and Australia’s '
'ACSC'}],
'threat_actor': 'Play ransomware group',
'title': 'Play Ransomware Targets Jamco Aerospace, Threatens Data Leak',
'type': 'Ransomware',
'vulnerability_exploited': 'CVE-2024-57727'}