Ransomware Group: PLAY

VICTIM NAME: Steve Basso Plumbing Heating

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the PLAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

Steve Basso Plumbing Heating is identified as the US-based victim in a leak page associated with the construction sector. The entry is linked to the threat actor group “play” and is dated 2025-10-02, which is treated as the post date since no distinct compromise date is provided. The post frames the incident as a data-leak event rather than full encryption, asserting that private and confidential data linked to commercial and residential construction has been exfiltrated. The described material is said to include client documents, budgets, payroll, accounting records, taxes, IDs, and other financial information. The page references the victim’s site at hxxp://bassophac[.]com and notes that a ransom-claim URL is present on the page, although the exact link is not shown in the available data. The leak record shows no screenshots or images (images_count is 0) and no downloadable content reported, and the data volume is listed as unknown (??? gb).

The leak entry shows 449 views, with an added date of 2025-09-27 and a publication date of 2025-10-02. There are no attached files or image assets in the leak record, but the post includes a claim URL (defanged in this summary). The construction focus of the disclosed material, combined with the types of data described—client documents and financial information—suggests a risk profile targeting small to mid-sized construction firms. The content is presented in English, summarizing the attackers’ claimed data scope, while PII has been redacted beyond preserving the victim name.