The CyberLens Newsletter
Posts
Glazed and Compromised: Unmasking the Krispy Kreme Ransomware Breach

Glazed and Compromised: Unmasking the Krispy Kreme Ransomware Breach

Inside the Play Ransomware Group's Sweet Attack on Global Doughnut Giant and What It Reveals About Evolving Threat Vectors in 2025

Devona Green Jordan
June 22, 2025

In partnership with

What Top Execs Read Before the Market Opens

The Daily Upside was founded by investment professionals to arm decision-makers with market intelligence that goes deeper than headlines. No filler. Just concise, trusted insights on business trends, deal flow, and economic shifts—read by leaders at top firms across finance, tech, and beyond.

Join 1M+ professionals who stay informed before the rest of the market catches up.

Interesting Tech Fact:

Despite their reputation for aggressive double extortion tactics, the Play ransomware group uses a highly unique obfuscation technique in their payload delivery—embedding portions of their malicious code inside custom encrypted archive files that mimic legitimate system update packages. This allows them to bypass many conventional email filters and EDR systems, making initial detection extremely difficult and giving them a head start in lateral movement operations. This stealth tactic has been quietly observed in over a dozen attacks since late 2023 but remains under-reported in mainstream threat intelligence feeds.

Introduction

In a cybersecurity incident that shook both IT professionals and sweet-toothed fans worldwide, Krispy Kreme Doughnuts found itself in the crosshairs of a sophisticated ransomware attack perpetrated by the Play ransomware group. Far from being a mere data breach, this was a coordinated infiltration that exploited systemic weaknesses across the company’s digital infrastructure, resulting in compromised employee data, system outages, and reputational damage. As ransomware actors refine their tools and expand their targets, the Krispy Kreme case serves as a cautionary tale for all sectors—not just the traditionally vulnerable ones.

Who Is The Play Ransomware Group?

The Play ransomware group, also known as PlayCrypt, emerged in mid-2022 but quickly evolved into one of the most active and elusive ransomware-as-a-service (RaaS) groups in the cyber threat ecosystem. Known for their distinct “.play” file extensions and the stark “PLAY” ransom notes, the group is notorious for targeting large organizations, government bodies, and multinational enterprises.

What sets Play apart is their preference for double extortion tactics, where stolen data is not only encrypted but also exfiltrated and held for ransom under the threat of public exposure. Over time, their tactics have morphed into what experts are calling “triple extortion,” involving not just encryption and data theft, but also the threat of contacting victims’ customers and stakeholders to exert additional pressure.

Their modus operandi typically involves:

Initial access via exposed RDPs or phishing campaigns
Use of Living off the Land Binaries (LOLBins) to evade detection
Lateral movement using tools like Cobalt Strike and PsExec
Disabling EDR solutions and anti-malware before payload deployment
Rapid encryption paired with data exfiltration

In the case of Krispy Kreme, all these hallmarks were chillingly present.

Timeline of the Krispy Kreme Breach

Phase 1: Initial Access (April 2025)

Initial forensic reports suggest that Play gained access to Krispy Kreme’s network through a vulnerable remote desktop protocol (RDP) instance left exposed to the internet. While multi-factor authentication (MFA) was implemented across key systems, an overlooked legacy point-of-sale system used for vendor management did not enforce MFA—creating a perfect entry point.

Phase 2: Reconnaissance and Persistence

Once inside, Play operatives deployed legitimate administrative tools such as ProcDump, WMI, and PsExec to map the internal infrastructure while avoiding detection. Analysts suspect the use of the Grixba infostealer—a tool often seen in Play’s campaigns—to siphon off credentials and session tokens for later privilege escalation.

Phase 3: Lateral Movement and Privilege Escalation

Cobalt Strike beacons were deployed across the network, allowing for lateral movement to mission-critical systems such as HR databases, email servers, and payment processing terminals. In particular, administrative access to Active Directory was achieved within 36 hours of the initial breach—a remarkably swift compromise that suggests either insider access or the use of stolen administrator credentials from the dark web.

Phase 4: Data Exfiltration and Payload Deployment

Roughly 740GB of sensitive data—including employee tax records, franchisee agreements, payroll data, and internal business correspondence—were exfiltrated over a secure FTP connection to a Play-controlled server. Encryption of endpoints began shortly thereafter, with ransomware notes dropped across directories demanding payment in Monero to avoid data leaks.

Phase 5: Disclosure and Fallout (May 2025)

Play listed Krispy Kreme on its public leak site after a failed negotiation period. Partial samples of HR data and operational documents were leaked, confirming the breach. Krispy Kreme issued a public statement on May 18, 2025, acknowledging the incident and initiating a takedown procedure with law enforcement and incident response vendors.

Damage Assessment

Systems Affected: Employee records, franchisee portals, email servers, logistics management systems
Data Leaked: Employee SSNs, customer data (in select geographies), strategic business documents
Operational Impact: 48-hour outage of internal communication systems; delayed donut production in four major U.S. locations; eCommerce disruption
Financial Cost: Estimated $14.8 million in damages, excluding long-term reputational costs and legal liabilities
Regulatory Pressure: Under investigation by the FTC and multiple state attorneys general due to violation of PII protection requirements under CCPA and GDPR (for EU operations)

Tactical Analysis: Why This Worked

1. Legacy Systems with Poor Segmentation

Despite its global reach, Krispy Kreme’s digital architecture relied heavily on hybrid systems, some of which dated back to its pre-cloud era. Play leveraged the lack of segmentation between legacy systems and newer cloud-native components to move laterally.

2. Incomplete MFA Coverage

One of the most critical flaws was the inconsistent application of multi-factor authentication, especially in backend systems not directly tied to customer-facing applications.

3. Delayed Detection

SIEM logs indicate that Play remained undetected in Krispy Kreme’s environment for nearly 12 days—an eternity in cybersecurity terms. This allowed them to map infrastructure, extract data, and time their encryption payloads for maximum disruption.

4. Sophisticated Obfuscation

Play employed encrypted PowerShell scripts and staged malware payloads to evade endpoint protection tools. Use of legitimate software and lateral movement via remote WMI connections minimized the likelihood of triggering alarms.

Lessons Learned: Defense in Depth Is Non-Negotiable

1. Harden Remote Access Paths

Organizations must enforce MFA everywhere, especially on remote desktop endpoints and internal tools. The era of assuming internal trust is over.

2. Prioritize Endpoint Detection and Response (EDR)

Standard antivirus solutions are insufficient. Modern threats like Play require behavior-based EDR with real-time anomaly detection.

3. Conduct Continuous Threat Hunting

Relying solely on alerts and dashboards can lead to blind spots. Proactive threat hunting is necessary to catch attackers like Play before they execute the final phase of their attacks.

4. Backups Are Not Enough

Backups are a reactive solution. Data exfiltration ensures attackers still have leverage, so encryption is no longer the worst-case scenario. Real-time data access controls and exfiltration monitoring must complement backup strategies.

5. Foster a Culture of Cybersecurity Hygiene

Employee training, security drills, and zero-trust mindset must become routine in every enterprise—from donut shops to defense contractors.

Future Outlook: Ransomware Is Now Industrialized

The Krispy Kreme breach is another grim milestone in the industrialization of ransomware. Groups like Play are evolving into hybrid threat actors, blending espionage-level tactics with profit-driven extortion. As more nation-state affiliates blur the lines between cybercrime and geopolitics, organizations must prepare for:

Multi-vector ransomware attacks involving AI-generated phishing, polymorphic malware, and autonomous lateral movement tools
Attacks that merge physical and digital targets—i.e., supply chain disruptions coordinated via cyber intrusion
Increased targeting of consumer-focused brands due to their customer data volumes and lower cyber maturity

Case Study: Comparing Krispy Kreme to Other Play Victims

In December 2024, Play ransomware successfully breached the networks of the City of Oakland and the Swiss technology firm Adecco, using nearly identical tactics: exploiting legacy VPNs and RDPs, leveraging Cobalt Strike, and extorting for both encryption and public data release.

What differentiates Krispy Kreme is the successful targeting of a global consumer-facing food brand—a rare move, signaling that attackers are now ready to weaponize reputation damage and customer sentiment as pressure tools in extortion.

Final Thoughts

Krispy Kreme’s compromise is not just a security story—it’s a wake-up call. No brand, regardless of size or industry, is immune from the increasingly professionalized ransomware economy. As attackers grow bolder, only layered defense strategies, executive buy-in, and continuous vigilance will keep the next “sugarcoated siege” from happening.