The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
On December 18, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Play ransomware [1]. Play ransomware group first appeared in June 2022, and the group has compromised nearly 300 organizations worldwide. Play ransomware operators exploit known vulnerabilities and follow recent ransomware trends like double extortion and inhibiting system recovery.
In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by Play ransomware and how organizations can defend themselves against Play ransomware attacks.
Play Ransomware
Play ransomware, also known as PlayCrypt, was first observed in late June 2022. The group targets organizations located in Australia, Latin America, Europe, and the United States. As a financially motivated threat group, victims of Play ransomware are from various industries, such as education, healthcare, insurance, media, technology, and telecommunications.
As an initial access vector, the group uses known vulnerabilities in public-facing assets and compromised valid accounts. For reconnaissance, defense evasion, and persistence in the victim's network, the ransomware threat actors use custom and open-source tools such as AdFind, BloodHound, Cobalt Strike, GMER, Mimikatz, and WinPEAS. Play ransomware follows ransomware trends and employs tactics similar to those of other recent ransomware groups like Hive and Nokoyawa. The ransomware payload uses an intermittent encryption scheme based on the size of the file, encrypting chunks of 0x100000 bytes. In addition to file encryption, Play ransomware operators steal their victims' sensitive data and threaten to publish it on their "leak site" if the ransom isn't paid.
Although it is a relatively new player in the ransomware scene, the Play ransomware group still poses a threat to organizations. In their advisory, CISA recommends organizations continuously validate their security controls against the Play ransomware variants and their evolving tools and techniques.
Play Ransomware Analysis and MITRE ATT&CK TTPs
Initial Access
T1078 Valid Accounts
Play ransomware operators use compromised valid accounts to gain initial access to the target network. Illegally obtained credentials and reusing passwords across multiple platforms are likely causes of account compromise.
T1133 External Remote Services
Play ransomware threat actors use publicly exposed RDP and VPN servers to establish a foothold in the target system. Compromised valid accounts are also used to gain access via RDP and VPN services.
T1190 Exploit Public Facing Application
Play ransomware exploits critical vulnerabilities in public-facing assets for initial access. They are known to exploit OWASSRF, ProxyNotShell, FortiOS CVE-2018-13379 and CVE-2020-12812 vulnerabilities.
Discovery
T1016 System Network Configuration Discovery & T1518.001 Software Discovery: Security Software Discovery
After gaining initial access, adversaries use AdFind to enumerate the victim's Active Directory. Additionally, they use an info-stealer and network scanner malware named Grixba to enumerate users and computers in the domain. Grixba's scan mode utilizes WMI, WinRM, and Remote Registry to determine software runs on network devices. The malware can also scan for antivirus, EDR suites, and backup tools.
Defense Evasion
T1562.001 Impair Defenses: Disable or Modify Tools
Play ransomware actors disable the identified security software in the victim's environment using legitimate tools like GMER, IOBit, and PowerTool.
T1070.001 Indicator Removal: Clear Windows Event Logs
Play ransomware actors delete Windows Event logs to hide their tracks and prevent defenders from investigating the ransomware incident.
Credential Access
T1552 Unsecured Credentials
Adversaries search for unsecured credentials to elevate their privileges or move laterally in the compromised network.
T1003 OS Credential Dumping
Play ransomware threat actors use Mimikatz to dump credentials and view Kerberos tickets. Moreover, they use Mimikatz to add accounts to domain controllers and gain domain administrative access.
Lateral Movement
T1570 Lateral Tool Transfer
Play ransomware group brings tools like Cobalt Strike, SystemBC, and PsExec to help their lateral movement and file exfiltration efforts.
Collection
T1560.001 Archive Collected Data: Archive via Utility
Prior to data exfiltration, adversaries compress their victims' files using WinRAR and split data into segments.
Exfiltration
T1048 Exfiltration Over Alternative Protocol
WinSCP is a free and open-source tool that facilitates secure file transfer between a local and a remote computer, typically using Secure Shell (SSH) protocols, including both Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP). Adversaries use WinSCP to exfiltrate the victim's data to adversary-controlled services.
Impact
T1486 Data Encrypted for Impact
Play ransomware uses the generic RSA-AES hybrid cryptosystem to encrypt files. Encrypted files are appended with a .play extension.
The payload follows an intermittent encryption scheme based on the file size, encrypting chunks of 0x100000 bytes. If the file size is smaller than 1 gigabyte, the ransomware only encrypts two chunks. If the file size is smaller than 10 gigabytes, the ransomware only encrypts three chunks. If the file size is larger than 10 gigabytes, the ransomware encrypts five chunks.
Figure 1: Example of a null file encrypted with Play ransomware [2]
How Picus Helps Simulate Play Ransomware Attacks?
We also strongly suggest simulating Play ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as AvosLocker, MedusaLocker, and Akira, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Play ransomware:
Threat ID |
Threat Name |
Attack Module |
95549 |
Play Ransomware Campaign 2022 |
Windows Endpoint |
28161 |
Play Ransomware Download Threat |
Network Infiltration |
38463 |
Play Ransomware Email Threat |
Email Infiltration (Phishing) |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Play ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Play ransomware:
Security Control |
Signature ID |
Signature Name |
Check Point NGFW |
0C7AB166B |
Trojan.Win32.HEUR:Trojan-Ransom.TC.78a9Srdg |
Cisco FirePower |
W32.Auto:762bb8.in03.Talos |
|
Forcepoint NGFW |
|
File_Malware-Blocked |
Fortigate AV |
10106192 |
W32/Filecoder.PLAY!tr.ransom |
McAfee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
Palo Alto |
584061252 |
Ransom/Win32.play.n |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus Complete Security Validation Platform.
References
[1] "#StopRansomware: Play Ransomware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a. [Accessed: Dec. 19, 2023]
[2] A. Milenkoski, "Crimeware Trends," SentinelOne, Sep. 08, 2022. Available: https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/. [Accessed: Dec. 19, 2023]
Schedule a 30-minute demo with Breach and Attack Simulation Specialist.