Updated Response to CISA Advisory (AA23-352A): #StopRansomware: Play Ransomware – Source: securityboulevard.com

On December 18, 2023, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA) to disseminate Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with the Play Ransomware group, identified through FBI investigations as recently as October 2023.

On June 4, 2025, the CSA was updated to reflect new TTPs employed by the Play ransomware group, as well as to provide updated IOCs and remove outdated ones to support effective threat hunting.

This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.

Play, also known as Playcrypt, is a ransomware group and strain active since June 2022 and was among the most active ransomware groups in 2024. The ransomware has been responsible for compromising a wide range of entities and critical infrastructure across North America, South America, and Europe. As of May 2025, the Federal Bureau of Investigation (FBI) had identified approximately 900 affected entities believed to have been compromised by Play ransomware operators.

The group is presumed to operate under a closed affiliate model, emphasizing operational secrecy, according to a statement on its leak site which pledges to “guarantee the secrecy of deals.”

Over time, Play ransomware operators have refined their playbook of Tactics, Techniques, and Procedures (TTPs) by expanding the exploitation of vulnerabilities including ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution (RCE). More recently, they have enhanced their toolkit with the introduction of tools such as Grixba, a custom information stealer and network scanner, and AlphaVSS, an open-source Volume Shadow Copy Service (VSS) management utility. These efforts indicate the group’s intention of remaining active for the foreseeable future.

Play operators employ a double extortion strategy, performing data exfiltration prior to file encryption. Ransom notes do not include an initial ransom demand or payment instructions, instead victims are instructed to initiate contact through unique @gmx.de or @web.de email addresses. In some cases, the operators escalate pressure by contacting victims via telephone, threatening disclosure of sensitive stolen information to encourage compliance with their demands.

Play ransomware exhibits tactical overlaps with Hive and Nokoyawa ransomware, suggesting a possible affiliation between operators. Additionally, it partially shares technical infrastructure with Quantum ransomware, a variant of the Conti ransomware. Specifically, Play ransomware activities have utilized Cobalt Strike beacons marked with the same watermark ID (206546002) as those deployed via the Emotet and SVCReady botnets in previous Quantum ransomware activities.

AttackIQ has released an updated attack graph to include these new behaviors exhibited by Play ransomware to help customers validate their security controls and their ability to defend against this determined adversary.

Validating your security program performance against these behaviors is vital to reducing risk. By using this updated attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against baseline behaviors associated with Play ransomware.
• Assess their security posture against an opportunistic adversary, which does not discriminate when it comes to selecting its targets.
• Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.

This attack graph emulates the different Tactics, Techniques, and Procedures (TTPs) observed in multiple activities associated with Play ransomware.

This emulation is based on the updated Cybersecurity Advisory (CSA) released by CISA on June 4, 2025, and supported by the reports published by Trend Micro on July 21, 2023, and Symantec on April 19, 2023.

To reflect updates to the previous version of the attack graph, newly added scenarios are labeled with the “Added!” prefix for identification.

Execution & Discovery – Grixba Stealer Delivery and Deployment

This stage begins with the deployment of Grixba, a custom information stealer and network scanner. Once operational, it attempts to detect the presence of a debugger through the Windows API and proceeds to obtain the Machine Globally Unique Identifier (GUID) along with Windows system properties from the registry. Subsequently, it collects additional system information, including the current username, running processes, and active services using Windows API functions.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known Grixba samples.

Added! Virtualization/Sandbox Evasion (T1497): This scenario will execute the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.

Query Registry (T1012): This scenario queries the MachineGUID value located within the HKLMSOFTWAREMicrosoftCryptography registry key which contains the unique identifier of the system.

Query Registry (T1012): This scenario queries the HKCUSoftwareMicrosoftWindowsCurrentVersion registry key to obtain information about Windows properties specific to the current user.

Added! System Owner/User Discovery (T1033): This scenario executes the GetUserNameA Windows API call to retrieve the name of the user associated with the current thread.

Added! Process Discovery (T1057): This scenario executes the Process Windows Management Instrumentation (WMI) command to receive a list of running processes.

Added! System Service Discovery (T1007): This scenario executes the EnumServiceStatus Windows API to gather critical information about configured services.

Added! System Service Discovery (T1007): This scenario executes the QueryServiceStatusEx and EnumDependentServices Windows API calls to retrieve information pertaining to a given service.

Discovery – Local Network Reconnaissance

This stage begins with the deployment of NetScan, a network scanning utility, followed by the execution of nltest to enumerate domain controllers and trusted domains, and the use of AdFind to conduct Active Directory discovery.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known NetScan samples.

Remote System Discovery (T1018): This scenario executes the nltest command to gather a list of domain controllers associated with a domain.

Domain Trust Discovery (T1482): This scenario calls the native nltest utility with the /trusted_domains option to retrieve a list of trusted Active Directory domains associated with this host.

Remote System Discovery (T1018): This scenario leverages the AdFind utility to discover details about the Active Directory configuration including accounts, groups, computers, and subnets.

Credential Access – Mimikatz Deployment and Credential Harvesting

This stage focuses on credential harvesting through the deployment of Mimikatz, which initially extracts credentials available on the system. Subsequently, the Local Security Authority Subsystem Service (LSASS) process is dumped into a Minidump file, which Mimikatz then uses to perform additional credential collection.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known Mimikatz samples.

OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz to dump passwords and hashes available on the compromised environment.

Added! OS Credential Dumping: LSASS Memory (T1003.001): This scenario employs rundll32.exe with comsvcs.dll to call the MiniDump export that will dump the LSASS process memory to disk.

Added! OS Credential Dumping: LSASS Memory (T1003.001): This scenario extracts credentials using Mimikatz from a specified MiniDump file.

Privilege Escalation & Lateral Movement – Targeting Additional Systems

This stage begins with the deployment of the Windows Privilege Escalation Awesome Scripts (WinPEAS) tool, used to escalate privileges on the compromised system. Following this, a Cobalt Strike beacon is deployed to establish communication with the Command and Control (C2) server. In case of failure, the emulation falls back on deploying the SystemBC backdoor as an alternative C2 channel.

Finally, leveraging the credentials acquired in the previous stage, it attempts to move laterally to additional systems within the network.

Added! Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known WinPEAS samples.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known Cobalt Strike samples.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known SystemBC samples.

Remote Services: Remote Desktop Protocol (T1021.001): This scenario attempts to remotely connect to an accessible system via Remote Desktop Protocol (RDP), a built-in remote access Windows utility.

Defense Evasion & Exfiltration – Disable Microsoft Defender & Exfiltrate Files

This stage begins by disabling Microsoft Defender through the modification of the DisableRealtimeMonitoring and DisableBehaviorMonitoring properties using PowerShell. Subsequently, Windows event logs are cleared using wevtutil, followed by the exfiltration of ZIP-compressed data from the system via Secure File Transfer Protocol (SFTP).

Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses the Set-MpPreference PowerShell cmdlet to modify the DisableRealtimeMonitoring setting in Microsoft Defender.

Added! Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses the Set-MpPreference PowerShell cmdlet to modify the DisableBehaviorMonitoring setting in Microsoft Defender.

Indicator Removal: Clear Windows Event Logs (T1070.001): The scenario executes the wevtutil.exe utility to delete Windows event logs from the system.

Added! Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002): This scenario exfiltrates collected information from the environment over Secure File Transfer Protocol (SFTP).

Impact – Play Ransomware Deployment

This stage begins with the deployment of the Play ransomware, which is executed via a scheduled task. Once deployed, it attempts to detect the presence of a debugger through the Windows API.

Subsequently, AlphaVSS, an open-source Volume Shadow Copy Service (VSS) management utility, is deployed to manipulate shadow copies. The ransomware then traverses the filesystem using FindFirstFileW and FindNextFileW before encrypting files using a combination of AES and RSA encryption algorithms.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known Play ransomware samples.

Added! Scheduled Task/Job: Scheduled Task (T1053.005): This scenario acquires execution through the creation of a scheduled task using the schtasks utility.

Added! Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known AlphaVSS samples.

Added! File and Directory Discovery (T1083): This scenario executes the FindFirstFileW and FindNextFileW Windows API calls to perform the enumeration of the file system.

Data Encrypted for Impact (T1486): This scenario simulates the file encryption routine used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithms observed during this activity.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Detection and Mitigation Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Scheduled Task/Job: Scheduled Task (T1053.005)

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.

2a. Detection

With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task:

Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations:

3. Data Encrypted for Impact (T1486)

Preventing systems and files from being encrypted should be a top priority. Ensuring that you have layered endpoint defenses including Antivirus and EDR solutions is critical.

3a. Detection

Ransomware attacks are best prevented and alerted by your EDR/AV Policies. Typically, a configuration for ransomware protection is presented and we strongly encourage that it is enabled in your security controls.

There are three telling signs of ransomware activity in an environment that you could query for and possibly make preventative detections if your security controls allow. Those three are deletion of shadow volumes, suspicious amounts of exfiltrated data, and of course, wide set file encryption.

Detecting deletion of shadow volumes is usually the first step that occurs and can be detected by looking at command line activity:

Via vssadmin.exe:

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

Via PowerShell:

Process Name == powershell.exe
Command Line == “Get-WmiObject Win32_Shadowcopy | ForEach-Object ($_.Delete();)”

Detecting suspicious Data Exfiltration:

Detecting exfiltration is well suited for IDS/IPS and DLP solutions. These products should be configured to identify sensitive files. If sensitive files, or a large amount of web traffic is sent to a rare external IP, it should be detected or prevented depending on security policies for the security control. Historical NetFlow data logging can also bubble up hosts that are experience uncommon peaks in outgoing traffic.

Detecting Ransomware-like File Encryption:

Utilizing an EDR or SIEM/SOAR product can help detect and prevent suspicious file encryption related to ransomware attacks. Utilizing these tools to look for excessive file modifications (greater than 1000 on a system) within less than a minute of time is a good starting indicator.

To increase the fidelity, you could include file modification file extension to popular ransomware extensions such as .conti, .Locky, .Ryuk, etc. If possible, with a SOAR or preventative EDR platform, we recommend setting these detections to kill all processes involved in creating the alert, as it will most likely stop the spread of the Ransomware.

3b. Mitigation

MITRE ATT&CK Recommends the following mitigations:

Wrap-up

In summary, this updated attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by Play ransomware operators. With data generated from continuous testing and use of these assessment templates, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.