Play Ransomware Has Hit 300 Entities Worldwide: FBI – Source: securityboulevard.com

The Play ransomware group, which was behind such high-profile attacks as those on the city of Oakland, California, and Dallas County, Texas, is behind at least 300 similar cyber-incidents since June 2022, according to government cybersecurity agencies in the United States and Australia.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, joined by the Australian Signals Directorate’s Australian Cyber Security Centre, issued an advisory this week warning organizations about the prolific threat group, which has target critical infrastructure entities in North America, South America, and Europe.

The double-extortion group, also known as PlayCrypt and BalloonFly, was first seen in Australia in April, with the most recent incident arising in November.

The agencies said they wanted to alert organizations to their tactics and techniques as well as give recommendations for mitigating against the threat.

“The Play ransomware group is presumed to be a closed group, designed to ‘guarantee the secrecy of deals, according to a statement on the group’s data leak website,” the agencies wrote. “Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.”

Evolving Its Methods

According to a report earlier this year, Symantec’s Threat Hunter Team wrote that Play was among the first threat groups to use intermittent encryption, in which attackers encrypt only a part of the content in targeted files. Using the technique, hackers encrypted only part of the data in the files, enabling them to encrypt the filers more quickly while still making the data unrecoverable.

At the time, the Symantec researchers said Play didn’t seem to be running as a ransomware-as-a-service (RaaS). However, researchers with Adlumin said in a report last month that has changed, with the ransomware offered to others as a service.

“Making it available to affiliates that might include sophisticated hackers, less-sophisticated ‘script kiddies,’ and various levels of expertise in between could dramatically increase the volume of attacks using the highly successful, Russia-linked Play ransomware,” the Adlumin researchers wrote.

They pointed to Play attacks they’d stopped in recent months that include nearly identical tactics and techniques, adding that “the unusual lack of even small variations between attacks suggest that they are being carried out by affiliates who have purchased the [RaaS] and are following step-by-step instructions from playbooks delivered with it.”

They also noted that small and midsize companies are being targeted by the Play operators and are particularly at risk.

Targeting Multiple Vulnerabilities

According to the advisory from CISA and the other agencies, the Play group gains initial access into organizations’ networks by abusing valid accounts and exploiting public-facing applications through known flaws in FortiOS [CVE-2018-13379 and CVE-2020-12812] and Microsoft Exchange, including ProxyNotShell – also tracked as CVE-2022-41040 – and CVE-2022-41082, a remote code execution (RCE) bug.

“Play ransomware actors have been observed to use external-facing services, such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access,” they wrote.

Once in, the bad actors use tools like AdFind to run Active Directory queries and the Grixba info-stealer to grab data from the network and scan for antivirus software. They also use GMER, IOBit, and PowerTool to disable such software and remote log files, and also have ued PowerShell scripts to target Microsoft Defender.

For lateral movement and file execution, the Play operators use Cobalt Strike, SystemBC, and PsExec. Once on the network, the threat actors search for unsecured credentials and use the MimiKatz for credential dumping to get domain administrator access. They also been known to use Windows Privilege Escalation Awesome Scripts to find other privilege execution paths.

They then distribute executables through Group Policy Objects. The Play hackers demand payment in cryptocurrency, directing victims to wallet addresses, with threats of exposing the stolen data on their leak site if the ransom isn’t paid. The .play extension is added to encrypted files.

The Play operators rose to prominence via attacks in South America, including Brazil, and then expanded its reach. It made headlines with attacks on Oakland, Dallas County, and other victims, and according to a report from Trend Micro in July, the group continues to add to its arsenal.

Researchers with the cybersecurity also wrote about Play’s possible link to other ransomware families, like Hive and Nokoyawa, including some shared tactics and tools.