Esquire Brands, a New York-based designer and manufacturer of children’s footwear holding notable licenses such as DKNY, Sam Edelman, and Kenneth Cole, has reportedly been hit by a serious ransomware attack. According to a post by the Play ransomware group on a dark web forum, attackers claim to have stolen sensitive company data and are threatening to publish it publicly unless demands are met.

Threat Actors Claim Data Theft

The Play ransomware cartel, known for its aggressive double-extortion tactics, posted Esquire Brands on its leak site — a platform attackers use to list victims and pressure them into paying ransom. In the forum post, the group claims to have obtained client documents, corporate finance details, payroll data, and other internal records. The attackers are threatening to release the stolen information as early as January 3rd.

Payroll records often contain personal employee information and could expose individuals to identity theft, targeted social-engineering campaigns, and other malicious exploitation. Likewise, the alleged access to client and financial data raises risks of corporate espionage and fraudulent activities if the material is released.

As of now, Esquire Brands has not publicly commented on the incident, and the company’s response — including whether it intends to notify affected individuals or regulatory bodies — remains unknown.

About the Play Ransomware Group

The Play ransomware gang has become one of the most active and high-profile cybercriminal groups operating today. Security trackers rank it among the top tier of ransomware operations due to the sheer number of claimed incidents and diverse victims worldwide.

Play has been linked to Russian-associated cybercrime networks by security analysts, although such attributions are inherently complex and often based on TTP (tactics, techniques, and procedures) similarities. The group has previously taken credit for breaches involving industrial suppliers, law enforcement offices, and technology companies, frequently using a “double extortion” strategy where attackers not only encrypt systems but also threaten to leak stolen data if ransoms are not paid.

Play is also known for employing a technique called intermittent encryption, where only specific segments of a system are encrypted to speed up exfiltration efforts and complicate detection — a method that has been subsequently adopted by other prominent ransomware operations.

Ransomware Trend Continues

This incident is part of a broader trend of ransomware attacks targeting US-based businesses. Recent cybersecurity reporting shows ransomware events rising sharply globally, with thousands of companies affected throughout the past year. Smaller and mid-sized firms in particular often lack sophisticated defenses, making them appealing targets for extortion groups