Russia-Linked Play Ransomware Hits Super Quik Gas Stations, Leaks Internal Documents and CCTV Footage

Regional Gas Station Chain Falls Victim to Double Extortion Attack

Executive Summary

Super Quik, a multi-state convenience store and gas station chain operating across Kentucky, Ohio, West Virginia, and Florida with an annual revenue of $124.8 million, has been compromised by the Russia-linked Play ransomware group. The attackers have leaked what appears to be approximately 5.5 GB of stolen internal documents and security camera footage on their dark web data leak site after the company reportedly refused to pay the ransom demand.

The breach was posted to Play's dark web blog on November 1, 2025, marking another high-profile victim in the group's ongoing campaign against critical infrastructure and commercial businesses.

Japan’s Askul Falls Victim to RansomHouse: 1.1 Terabytes of Data Stolen in Sophisticated Extortion Campaign

Japanese retail giant Askul Corporation has confirmed a significant data breach following a ransomware attack that disrupted operations across its e-commerce platforms and compromised sensitive customer and supplier information. The Russia-linked extortion group RansomHouse has claimed responsibility for the attack, asserting it exfiltrated approximately 1.1 terabytes of data from

Breached CompanyBreached Company

Attack Details

Victim Profile

Super Quik Inc. is an employee-owned convenience store and fuel station chain that has built its business on providing quality service and community engagement throughout the southeastern United States. The company operates multiple locations across four states, serving as a critical piece of local infrastructure for countless communities.

The Breach

Play ransomware employed its signature double extortion technique, which involves both encrypting victim systems and exfiltrating sensitive data before demanding payment for decryption keys and non-disclosure of the stolen information. When Super Quik apparently declined to negotiate or pay the ransom, the threat actors followed through on their threat by publishing the stolen data.

The leaked data includes:

• Internal company documents
• CCTV security camera footage from gas station locations
• Potentially sensitive business records and operational data

The publication of security camera footage is particularly concerning, as it could compromise customer privacy, reveal security protocols, and expose vulnerabilities in the company's physical security infrastructure.

About Play Ransomware

Threat Actor Profile

According to a joint advisory from the FBI, CISA, and Australia's ASD ACSC, Play ransomware has compromised approximately 900 organizations since the group emerged in 2022. The group has demonstrated a pattern of targeting diverse sectors across multiple continents.

Play has previously claimed responsibility for attacks against major organizations including the Chicago radio station WFMT, multinational chain Krispy Kreme, the City of Oakland California, the Palo Alto County Sheriff's office in Iowa, and the Donald W. Wyatt maximum security detention center in Rhode Island.

Technical Capabilities

Play ransomware gains initial access by exploiting FortiOS vulnerabilities CVE-2020-12812 and CVE-2018-13379, along with exposed RDP servers, and then distributes ransomware payloads across systems using Group Policy Objects executed as scheduled tasks.

One of the group's distinguishing features is their use of intermittent encryption—a technique that makes detection significantly more difficult. Play is thought to be one of the first ransomware groups to implement intermittent encryption, where only certain fixed segments of a system are encrypted, allowing for faster data exfiltration while evading many endpoint security solutions. Other notorious groups including ALPHV/BlackCat, DarkBit, and BianLian have since adopted this tactic.

Tactics, Techniques, and Procedures (TTPs)

The Play ransomware group gains initial access through stolen credentials and exploitation of known vulnerabilities in FortiOS, Microsoft Exchange, and external-facing services like RDP and VPNs. Their attack methodology includes:

• Credential Theft: Using tools like Mimikatz to steal credentials and WinPEAS for privilege escalation
• Lateral Movement: Deploying PowerShell scripts targeting Microsoft Defender and relying on Cobalt Strike, SystemBC, and PsExec for lateral movement
• Defense Evasion: Each ransomware binary is recompiled for individual campaigns, making detection more challenging
• Data Exfiltration: Stealing sensitive information before encryption begins

Play follows a double extortion model where victims are instructed to contact the group via @gmx.de or @web.de email addresses and pay ransoms in cryptocurrency, with threats to publish stolen data on their Tor-hosted leak site if demands are refused.

Industry Impact and Implications

Targeting Critical Infrastructure

The attack on Super Quik highlights the vulnerability of the retail fuel and convenience store sector to sophisticated ransomware operations. Gas stations represent critical infrastructure that communities depend on for daily operations, and breaches of these systems can have cascading effects:

1. Customer Privacy Concerns: The leak of CCTV footage potentially exposes customers who visited these locations during the recording period
2. Operational Disruption: Even after systems are restored, the breach may impact daily operations and customer trust
3. Supply Chain Risks: As a multi-state operation, disruptions could affect fuel distribution and supply chains
4. Employee Data: Internal documents may contain sensitive employee information including payroll and personal data

The Double Extortion Threat

The Super Quik incident demonstrates the effectiveness of double extortion tactics in pressuring victims. Even organizations that maintain robust backups and can recover from encryption may still face significant reputational and legal consequences from data exposure.

The publication of security camera footage adds another dimension to this threat. Cybersecurity researchers have investigated data samples accessible via the posted download link, confirming the authenticity of the breach materials.

Defensive Strategies

Immediate Actions

Organizations in the retail fuel sector should take the following steps to protect against Play ransomware:

1. Patch Known Vulnerabilities: Immediately update FortiOS systems and Microsoft Exchange servers
2. Secure Remote Access: Implement multi-factor authentication on all RDP and VPN endpoints
3. Network Segmentation: Isolate critical systems including point-of-sale terminals and surveillance systems
4. Credential Management: Deploy privileged access management solutions and regularly rotate credentials

Long-Term Security Posture

Key defense strategies include deploying endpoint protection to rapidly detect and mitigate ransomware attacks, regularly updating systems and patching to the latest software versions to eliminate known vulnerabilities, and implementing contingency plans with backup strategies and system segmentation procedures.

Using access controls and network segmentation limits the total access that compromised accounts have, preventing one compromised account from signaling complete corruption of remote systems.

Additional recommendations include:

• Backup and Recovery: Maintain offline, immutable backups tested regularly for integrity
• Security Monitoring: Deploy EDR/XDR solutions capable of detecting intermittent encryption patterns
• Incident Response Planning: Develop and test incident response procedures specific to ransomware scenarios
• Security Awareness Training: Educate employees about phishing and social engineering tactics used for initial access
• Network Monitoring: Implement behavioral analysis to detect lateral movement and unusual data exfiltration

Attribution and Geopolitical Context

While no definitive attribution to a specific nation-state has been conclusively proven, the cybersecurity community generally refers to Play as "Russia-linked" based on various operational indicators and targeting patterns. The group's continued activity and sophistication suggest access to significant resources and technical expertise.

Recent intelligence suggests potential collaboration between Play ransomware and North Korean state-sponsored group Jumpy Pisces (also known as Andariel), with Unit 42 observing incidents between May and September 2024 that indicated possible cooperation, marking the first recorded collaboration between a North Korean state-sponsored group and an underground ransomware network.

Response and Recovery

As of publication, Super Quik has not released a public statement regarding the breach. The company's response will likely include:

• Forensic investigation to determine the full scope of the breach
• Notification of affected customers and employees as required by state breach notification laws
• Engagement with law enforcement including FBI and CISA
• Remediation of exploited vulnerabilities
• Enhanced security controls to prevent future incidents

Organizations that discover they may have been affected should:

• Monitor accounts for suspicious activity
• Review transactions at Super Quik locations during the breach period
• Be alert for phishing attempts leveraging stolen information
• Consider credit monitoring services if personal information was potentially compromised

Conclusion

The Super Quik breach serves as another stark reminder that ransomware groups like Play continue to pose serious threats to businesses of all sizes, particularly those operating critical infrastructure. With approximately 900 organizations affected as of May 2025, Play ransomware shows no signs of slowing its operations.

For organizations in the retail fuel sector and beyond, the message is clear: proactive security measures, regular security assessments, and comprehensive incident response planning are no longer optional—they are essential components of business continuity in today's threat landscape.

The publication of CCTV footage in this breach adds a new dimension to ransomware attacks, demonstrating that threat actors will leverage any stolen data to maximize pressure on victims. Organizations must view all data as potentially weaponizable in the hands of sophisticated adversaries.

Key Takeaways

• Super Quik, a regional gas station chain with $124.8M annual revenue, was breached by Play ransomware
• Approximately 5.5 GB of internal documents and CCTV footage were leaked on the dark web
• Play ransomware has hit approximately 900 organizations since 2022
• The group uses intermittent encryption and double extortion tactics
• Initial access often occurs through FortiOS and Microsoft Exchange vulnerabilities
• Organizations should prioritize patching, network segmentation, and offline backups

Indicators of Compromise (IOCs)

Organizations should monitor for:

• Exploitation attempts against CVE-2020-12812 and CVE-2018-13379
• Unusual RDP and VPN authentication patterns
• Use of Mimikatz, WinPEAS, Cobalt Strike, and PsExec
• Files with ".play" extensions
• Contact attempts to @gmx.de or @web.de email addresses
• Unusual Group Policy Object modifications

For more information on ransomware threats and defensive strategies, stay tuned to our ongoing coverage of the evolving threat landscape.

References:

• FBI/CISA Joint Cybersecurity Advisory on Play Ransomware
• Cybernews Security Research
• Palo Alto Networks Unit 42 Threat Intelligence
• Check Point Software Threat Prevention Research