WFMT, a prominent classical music radio station based in Chicago, has reportedly fallen victim to a ransomware attack by the cybercriminal group known as Play. The attackers claim to have exfiltrated a large volume of sensitive personal and business data, allegedly in an effort to pressure the station into meeting ransom demands.
The breach was publicized through Play ransomware’s dark web blog, a platform the group routinely uses to announce and shame its victims. According to cybersecurity analysts at Cybernews, a 5.5-gigabyte data dump has already been released by the attackers. Their preliminary analysis indicates the files contain detailed payroll records, medical insurance information, internal company budgets, government grant data, as well as a range of contracts and corporate reports.
The exposure of such data could have serious implications. Medical insurance details, in particular, are highly valued on illicit markets and can be used for fraudulent claims or identity theft. WFMT has not yet publicly confirmed the breach, and a request for comment remains unanswered as of publication.
Founded in 1948, WFMT is among the oldest classical music broadcasters in the United States. The station is recognized for its high-quality programming and international reach, having been one of the first radio superstations distributed via satellite and cable worldwide. It is also notably the only individual U.S. station to hold membership in the European Broadcasting Union.
The attack on WFMT adds to a growing list of high-profile incidents involving the Play ransomware group. In 2023, the same group was linked to cyberattacks targeting the Palo Alto County Sheriff’s Office in Iowa and the Donald W. Wyatt Detention Facility in Rhode Island. Security experts note that Play has risen rapidly within the ransomware landscape, becoming one of the most active cartels in 2024.
Play is known for pioneering the use of intermittent encryption — a technique that encrypts select portions of data rather than entire files. This approach enables faster data theft and system compromise, a method that has since been adopted by other notorious groups such as ALPHV/BlackCat, DarkBit, and BianLian.
