#StopRansomware Warns of Play Ransomware with 300 Entities Worldwide Compromised

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) have jointly released an advisory regarding the Play ransomware group, also known as Playcrypt. This ransomware gang, active since June 2022, has been identified by CISA as impacting a wide array of business sectors globally. Critical infrastructure organizations across North America, South America, and Europe have been notably affected by Play's orchestrated attacks. As of October 2023, it is reported that approximately 300 entities have fallen victim to Play.

CISA's advisory highlights the Play group's tactics, techniques, and procedures (TTPs) starting with their initial access strategies. They target known vulnerabilities in widely-used public-facing applications, such as FortiOS and Microsoft Exchange, utilizing vulnerabilities like ProxyNotShell (CVE-2022-41040 and CVE-2022-41082) as well as CVE-2018-13379 and CVE-2020-12812 in FortiOS. CISA's report lists various tools deployed by the group, including AdFind, Bloodhound, GMER, IOBit, PsExec, PowerTool, PowerShell, Cobalt Strike, Mimikatz, WinPEAS, WinRAR, WinSCP, Microsoft Nltest, Nekto/PriviCMD, Process Hacker, and Plink.

For discovery and defense evasion, the group uses tools such as AdFind and Grixba to target Active Directory and conduct anti-virus software scans. They are known to employ GMER, IOBit, and PowerTool for disabling anti-virus software and erasing log files. During the lateral movement and execution phase, Play ransomware actors use command and control applications like Cobalt Strike and SystemBC, alongside tools such as PsExec and Mimikatz, to gain domain administrator access and disseminate executables via Group Policy Objects. The exfiltration and encryption stage involves segmenting compromised data, compressing it into .RAR format using WinSCP for transfer, and encrypting files with AES-RSA hybrid encryption, adding a .play extension to each file name.

The Play group's impact is significant due to their double-extortion tactic, demanding ransom in cryptocurrency and threatening to release exfiltrated data if their demands are unmet. The advisory from CISA and its allied agencies underscores the criticality of implementing robust cybersecurity measures. These include enabling multifactor authentication and maintaining offline backups, essential practices to reduce the risk and impact of ransomware incidents.