Play ransomware group claims access to ADC Aerospace data in new dark web posting

ADC Aerospace, a U.S. engineering component manufacturer serving the defense and aerospace sectors, appeared on the Play ransomware group’s dark web site, where attackers claimed they accessed a range of internal and client-related documents. The posting serves as an initial signal that the group is attempting to pressure the company by asserting possession of sensitive information, a tactic commonly used to compel ransom payment.

The attackers stated that the compromised material includes client documents, budget and financial files, payroll data, identification records, and other confidential personal information. No samples were released, preventing independent verification of the claim. Ransomware groups often withhold proof in the early stages of extortion and escalate by releasing data fragments if negotiations fail or stall.

If validated, the breach could have significant consequences for ADC Aerospace. Data tied to defense-sector clients can attract considerable interest on dark web markets, where information involving U.S. contractors consistently draws attention. Payroll and identification records could also enable identity theft, while other personal data may be leveraged for social engineering operations that imitate trusted entities in the aerospace and defense supply chain.

The potential impact is heightened by ADC Aerospace’s role as a supplier to major industry companies, including Northrop Grumman, Collins Aerospace, Philips, and Honeywell. Any exposure of proprietary or personal information linked to these relationships could create wider security concerns across interconnected networks.

Play ransomware remains one of the most active criminal groups worldwide. Earlier this year, the group claimed responsibility for an attack on Jamco Aerospace, a supplier to the U.S. Navy, Boeing, and Northrop Grumman. Play has also been linked to multiple incidents involving public-sector and commercial victims, including the Palo Alto County Sheriff’s Office in Iowa, the Donald W. Wyatt Detention Facility in Rhode Island, Rackspace, H-Hotels, and BMW France.

Profiles of the group describe Play as an early adopter of intermittent encryption, a technique that encrypts fixed segments of data rather than entire systems. The approach allows faster infiltration and extraction, and has since been adopted by other high-profile ransomware operations such as ALPHV/BlackCat, DarkBit, and BianLian.