Dutch agricultural and food producer NL Fisher has been named as the latest victim of the Play ransomware group, according to dark web monitoring reports circulating on X and aggregated by UNDERCODE NEWS. The threat actors allege they encrypted systems and disrupted critical infrastructure tied to production and logistics, marking another escalation in ransomware targeting of European food supply chains. The company has not yet publicly confirmed the full scope of the incident.
What Happened
Play ransomware operators publicly claimed responsibility for an attack on NL Fisher, a Dutch agricultural and food production firm. The claim was first surfaced by the threat monitoring account "Cybersecurity News Everyday," which reported that Play encrypted NL Fisher's infrastructure as part of a broader campaign targeting mid-sized manufacturers and agricultural organizations across Europe. Initial reporting indicates the attackers interfered with business infrastructure tied directly to production and logistics workflows, the operational core of any food producer. NL Fisher has not issued a public statement confirming or denying the breach, and the listing remains active on Play's dark web leak portal.
What Was Taken
Play ransomware operates a double-extortion model, meaning data exfiltration typically precedes encryption. While the specific volume and contents of stolen NL Fisher data have not yet been disclosed in the leak post, organizations in the agricultural and food production sector typically hold:
- Supplier and distributor contracts, including pricing and volume terms
- Logistics and cold-chain routing data
- Industrial control system configurations for production lines
- Employee personal data and payroll records
- Food safety compliance documentation and audit records
- Customer and retailer purchase orders
Play has a consistent track record of publishing victim data in staged releases when ransom negotiations stall, and the group's leak site has previously hosted hundreds of gigabytes per victim in similar mid-market intrusions.
Why It Matters
Agriculture and food production are now classified as critical infrastructure in the Netherlands and across most of the EU under the NIS2 directive. An operational disruption at a producer like NL Fisher cascades quickly: every hour of downtime affects cold storage, refrigeration cycles, transport schedules, manufacturing runs, and downstream supermarket distribution. The Play group has been linked to ransomware activity affecting hundreds of organizations globally since 2022 and was the subject of a joint advisory from CISA, the FBI, and the Australian Signals Directorate. Their continued focus on mid-market industrial and agricultural targets reflects a deliberate strategy: pick victims with low cyber maturity, high operational urgency, and insurance coverage sufficient to motivate payment.
The Attack Technique
Play ransomware has historically gained initial access through exploitation of public-facing applications, particularly unpatched FortiOS SSL VPN vulnerabilities (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange ProxyNotShell flaws (CVE-2022-41040, CVE-2022-41082). Once inside, the group typically conducts extensive reconnaissance using tools like AdFind, BloodHound, and Cobalt Strike, escalates privileges via Mimikatz, and disables endpoint defenses before deploying its custom encryptor. Reporting on the NL Fisher incident highlights a recurring weakness across the agricultural sector: insufficient segmentation between corporate IT and operational technology (OT) environments, which lets attackers pivot from a compromised office workstation into production-critical systems. CoreRecon CEO commentary cited in the original reporting flagged this exact pattern as Play's preferred entry path in recent agricultural intrusions.
What Organizations Should Do
- Patch internet-facing infrastructure immediately. Prioritize Fortinet VPN, Microsoft Exchange, and any remote access gateway exposed to the public internet. Play actively scans for and exploits known unpatched CVEs.
- Segment IT from OT networks. Production, refrigeration, and logistics control systems must sit behind firewalled boundaries with strict access control. Flat networks remain the single biggest accelerator in food-sector ransomware events.
- Maintain offline, immutable backups. Cloud-only or domain-joined backups are routinely destroyed in the early stages of a Play intrusion. Keep at least one air-gapped copy, and test restoration quarterly.
- Deploy EDR with tamper protection. Play operators actively disable endpoint security tools before encryption. Tamper-protected EDR with 24/7 monitoring shortens dwell time dramatically.
- Enforce MFA on all remote access and privileged accounts. Stolen credentials are a common Play entry vector; MFA on VPN, RDP, and admin consoles closes that door.
- Rehearse an OT-aware incident response plan. Plans built only around office IT fail when refrigerated stock is spoiling. Include logistics, food safety, and regulatory notification workflows.