The US cybersecurity agency CISA, the FBI, and the Australian Cyber Security Centre (ACSC) have published a new advisory detailing the tactics, techniques, and procedures (TTPs) associated with Play ransomware attacks.
Also known as Playcrypt, the Play ransomware has been active since June 2022, targeting organizations in the Americas and Europe. The FBI was aware of approximately 300 victims as of October 2023, but a brief SecurityWeek analysis shows that roughly 100 other alleged victims have been added to the group’s leak website in the past two months.
Likely a closed group, the Play ransomware gang engages in double-extortion tactics, encrypting victims’ systems and exfiltrating their data, threatening to release it publicly unless a ransom is paid.
For initial access, the group has exploited FortiOS and Microsoft Exchange vulnerabilities, as well as valid credentials, and was also observed using RDP and VPN services.
Following initial access, the cybergang would use various tools for Active Directory discovery, network enumeration, anti-virus software identification and disabling, log file removal, lateral movement, credential harvesting, and vulnerability discovery.
The Play ransomware gang was also seen deploying executables via Group Policy Objects (GPO).
The group harvests victim data, splits it into segments, and exfiltrates it to the command-and-control (C&C) server compressed as RAR files. Next, the adversary encrypts the compromised systems using AES-RSA hybrid encryption.
Victims are instructed to contact the gang at an email address ending in @gmx[.]de and to pay a ransom demand in cryptocurrency, to a wallet address provided by the attackers.
“Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia,” the government agencies note.
In their advisory, CISA, FBI, and ACSC also provide indicators-of-compromise (IoCs) associated with the Play ransomware attacks, along with recommended mitigation steps, which include the implementation of a recovery plan, the use of strong authentication methods, updating systems and applications, monitoring networks for suspicious activity, using security solutions, and enhancing email protections.
“In addition to applying mitigations, the FBI, CISA, and ASD’s ACSC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and ASD’s ACSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory,” the agencies note.