The Play ransomware group has successfully infected at least 300 organizations as of October, according to a new joint cybersecurity advisory this week by U.S. and Australian government agencies, which sought to highlight Indicators of Compromise (IoC) and tactics associated with the group.
The Play ransomware group emerged in June 2022 and since then has launched double extortion attacks against a number of U.S.-based organizations, including the city of Oakland, Calif., and a number of managed service providers. In Australia, meanwhile, the group’s activity was first seen in April 2023 (and has most recently occurred in November).
“Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe,” according to the joint alert released Monday by the FBI, CISA and the Australian Signals Directorate's Australian Cyber Security Centre (ACSC), which leads the Australian government's efforts on cyber security. “The Play ransomware group is presumed to be a closed group, designed to ‘guarantee the secrecy of deals,’ according to a statement on the group’s data leak website. Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data.”
For initial access, the group has previously targeted unpatched vulnerabilities in organizations’ environments, such as the Microsoft Exchange ProxyNotShell bugs (CVE-2022-41040 and CVE-2022-41082) and known FortiOS flaws (CVE-2018-13379 and CVE-2020-12812), as well as external-facing services like Remote Desktop Protocol (RDP).
The group leverages a number of both public and custom tools for defense evasion, lateral movement and data exfiltration. For instance, they have used custom tools like an information stealer called Grixba for enumerating network information and scanning for antivirus software, and a .NET executable that allows attackers to copy files from the Volume Shadow Copy Service (VSS) that are normally locked by the operating system. Like many other threat groups it has relied on tools like Cobalt Strike and PSExec for lateral movement and file execution and Mimikatz to dump credentials and gain administrator access.
“Actors also use tools like GMER, IOBit, and PowerTool to disable anti-virus software and remove log files,” according to the advisory. “In some instances, cybersecurity researchers have observed Play ransomware actors using PowerShell scripts to target Microsoft Defender.”
The FBI, CISA and ACSC urged organizations to take a number of steps to limit the impact of these ransomware techniques, including developing and implementing a recovery plan for retaining sensitive data in the event of an attack. Businesses are also recommended to implement multifactor authentication, regularly patch and update all software and applications and prioritize the remediation of known exploited flaws, segment networks (to help curb the ransomware’s spread) and have the capabilities to identify, detect and investigate any abnormal activity.
“The FBI, CISA, and ASD’s ACSC recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Play ransomware,” according to the advisory. “These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST)."