The Play ransomware group, also going by the name Playcrypt, has been affecting several kinds of North American, South American, and European enterprises as well as vital infrastructure since June 2022.
The FBI learned of about 300 impacted companies as of October 2023 that the ransomware attackers allegedly took advantage of.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) issued a joint advisory to disseminate IOCs and TTPs discovered as recently as October 2023 by the Play ransomware group.
Specifics of the Play Ransomware Group
The Play ransomware incident was initially noted in Australia in April 2023, and it was most recently detected in November 2023.
A statement on the Play ransomware group’s data leak website states that the group is thought to be closed and created to “guarantee the secrecy of deals.”
The threat actors using play ransomware utilize a double-extortion strategy, first gaining access to computers and then encrypting data.
The initial ransom demand and payment instructions are not included in ransom notes; instead, victims are told to email the threat actors.
By abusing legitimate accounts and taking advantage of public-facing applications, the Play ransomware group first gains access to victim networks. Specifically, this is accomplished through known vulnerabilities in Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]) and FortiOS (CVE-2018-13379 and CVE-2020-12812).
It has been noted that most ransomware actors initially gain access through external-facing services like Virtual Private Networks (VPN) and Remote Desktop Protocol (RDP).
Actors in play ransomware employ tools such as AdFind to execute Active Directory queries and Grixba, an information-stealer, to enumerate network information and scan for anti-virus software.
Additionally, actors utilize tools like GMER, IOBit, and PowerTool to remove log files and disable antivirus software.
Mitigation
- Prioritize remediating known exploited vulnerabilities.
- Enable multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
- Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.
To mitigate the possibility and effect of ransomware outbreaks, companies are encouraged by the FBI, CISA, and ASD’s ACSC to implement the recommendations provided in the Mitigations.