TPIS Industrial Services, a U.S.-based manufacturing company, was listed as a victim by the Play ransomware group on March 26, 2026. The attack follows Play's established double extortion playbook: encryption of critical systems combined with data exfiltration, with stolen data threatened for public release if ransom demands are not met. Play is one of the most active and technically capable ransomware operations targeting industrial and manufacturing organizations globally, and this incident continues a sustained campaign against U.S. industrial infrastructure that has accelerated through early 2026.

What Happened

Play ransomware operators added TPIS Industrial Services to their dark web leak site on March 26, 2026, claiming a successful intrusion and data theft. Based on Play's documented operational pattern, the attack involved an extended dwell period during which the threat actors mapped the network, identified high-value systems, and staged data for exfiltration — before deploying the ransomware payload to maximize disruption. The encryption phase effectively locked the company out of its own operational systems, halting production workflows and triggering a crisis response.

The specific duration of unauthorized access prior to detection has not been disclosed. Play operations typically involve dwell times ranging from days to weeks before encryption is triggered, during which the group conducts thorough reconnaissance and lateral movement across the compromised environment. TPIS Industrial Services has not issued a public statement at time of writing.

What Was Taken

The full scope of exfiltrated data has not been publicly confirmed. Based on Play's standard double extortion model and the nature of TPIS's industrial operations, likely exfiltrated data categories include:

• Operational and manufacturing data — production processes, equipment configurations, operational schedules
• Intellectual property — proprietary manufacturing techniques, engineering specifications, product designs
• Business and financial records — contracts, vendor relationships, financial statements
• Employee records — personnel data, contact information, HR files
• Client and partner data — customer contracts, supplier information, delivery records

Play typically publishes proof-of-exfiltration samples on its leak site before a ransom deadline, with full data dumps released if payment is not made. Whether TPIS data has been partially or fully released has not been confirmed at time of reporting.

Why It Matters

Manufacturing is now the single most targeted sector for ransomware globally, and Play is among the top three most active groups driving that trend. The sector's vulnerability is structural: operational technology (OT) environments running legacy industrial control systems, production systems that cannot tolerate downtime and therefore cannot be patched on normal cycles, and IT/OT convergence that has expanded the attack surface without equivalent security investment.

For TPIS specifically, ransomware disruption to an industrial services company creates cascading effects beyond the immediate victim. Manufacturing companies operate within complex supply chains — a production halt or data breach at a single node can delay deliveries, disrupt downstream manufacturing processes, and expose the intellectual property of client organizations whose proprietary processes or products were managed through TPIS's systems.

Play's targeting of industrial organizations is not opportunistic. The group specifically selects victims where operational disruption creates maximum leverage for ransom payment — and manufacturing companies, where every hour of downtime has a quantifiable financial cost, are ideal targets.

The Attack Technique

Play's documented intrusion methodology follows a consistent pattern across victims:

1. Initial access — Play primarily exploits vulnerabilities in internet-facing systems: FortiOS SSL-VPN flaws, Microsoft Exchange ProxyNotShell vulnerabilities, and RDP exposure are among the group's most frequently abused entry points. Compromised valid credentials obtained through phishing or credential markets are also commonly used.

2. Defense evasion — Play deploys tools to disable or tamper with endpoint detection and response (EDR) solutions early in the intrusion, using bring-your-own-vulnerable-driver (BYOVD) techniques and living-off-the-land binaries (LOLBins) to avoid detection.

3. Lateral movement — Using legitimate admin tools (PsExec, WMI, Cobalt Strike), Play moves laterally across the network to reach domain controllers and high-value servers, including backup infrastructure.

4. Data exfiltration — Before deploying ransomware, the group stages and exfiltrates sensitive data using tools such as WinRAR for compression and cloud storage or custom infrastructure for transfer.

5. Ransomware deployment — Play deploys its custom encryptor across the network simultaneously, appending the .play extension to encrypted files and dropping ransom notes.

The specific initial access vector for the TPIS intrusion has not been confirmed.

What Organizations Should Do

1. Audit all internet-facing systems for known Play entry points — Immediately verify patch status on FortiOS/FortiGate VPN appliances, Microsoft Exchange servers, and any RDP-exposed endpoints. Play has exploited unpatched instances of CVE-2022-41082 (ProxyNotShell), CVE-2023-27532 (Veeam), and multiple FortiOS CVEs. If these systems are unpatched, treat them as potentially compromised.

2. Protect and isolate backup infrastructure — Play specifically targets and destroys backup systems to eliminate recovery options. Backups should be air-gapped or stored in immutable, offline environments. Verify that no backup system is reachable from domain admin credentials compromised during a breach. Test restoration from backups quarterly.

3. Deploy EDR with tamper protection enabled — Play routinely disables endpoint security tools early in the attack chain. Ensure EDR solutions have tamper protection enabled and that alerts for security tool termination generate immediate SOC response. Any EDR process kill event should be treated as a high-priority incident indicator.

4. Segment OT/ICS networks from corporate IT — If production systems share network access with corporate IT, a ransomware infection on the IT side can propagate directly to operational technology. Industrial environments require strict network segmentation with unidirectional data flows, enforced firewall rules, and no direct connectivity between engineering workstations and corporate email or internet-accessible systems.

5. Monitor for LOLBin abuse and lateral movement indicators — Play relies heavily on native Windows tools. Implement detection rules for anomalous use of PsExec, WMI remote execution, PowerShell remoting, and WinRAR compression of large data volumes. Unusual volume of SMB traffic between workstations and servers, or domain controller logons from non-admin endpoints, should trigger immediate investigation.

6. Establish an incident response retainer before you need it — Manufacturing organizations often lack internal IR capability matched to a Play-level intrusion. A pre-negotiated IR retainer with a qualified firm means response begins in hours rather than days — and in ransomware incidents, the first 24 hours determine whether recovery takes days or months.

Sources

• UNDERCODE NEWS — US Manufacturer Hit by Play Ransomware Attack