Play Ransomware | |
Other Names | Playcrypt, Balloonfly |
Location | Unknown |
Date of initial activity | 2022 |
Suspected attribution | Unknown |
Associated Groups | Unknown |
Motivation | Financial Gain |
Associated tools | AdFind, Bloodhound, GMER, IOBit, PsExec, PowerTool, PowerShell, Cobalt Strike, Mimikatz, WinPEAS, WinRAR, WinSCP, Microsoft Nltest, Nekto / PriviCMD, Process Hacker, Plink |
Active | Yes |
Overview
Common targets
Businesses and critical infrastructure in North America, South America, and Europe.
Attack Vectors
The Play ransomware group breaches networks via abused accounts and exploited applications, including FortiOS and Microsoft Exchange vulnerabilities. They leverage external services like RDP and VPN for initial entry.
How they operate
Discovery and Defense Evasion
Play ransomware actors employ tools such as AdFind for Active Directory queries and Grixba, an information-stealer, to scan networks and seek out anti-virus software. Additionally, they utilize GMER, IOBit, and PowerTool to disable security measures and erase log files. Notably, cybersecurity researchers have observed the use of PowerShell scripts to target Microsoft Defender.
Lateral Movement and Execution
To facilitate lateral movement and file execution, Play ransomware actors deploy command and control (C2) applications like Cobalt Strike and SystemBC, alongside tools like PsExec. Once inside a network, they hunt for vulnerable credentials and exploit them with a Mimikatz credential dumper to gain domain administrator privileges. They also leverage Windows Privilege Escalation Awesome Scripts (WinPEAS) for further vulnerability scanning, distributing executables via Group Policy Objects.
Exfiltration and Encryption
Compromised data is often split and compressed into .RAR format using WinRAR for exfiltration, followed by transfer via WinSCP to actor-controlled accounts. Subsequently, files undergo AES-RSA hybrid encryption with intermittent encryption patterns.
Impact
The ransomware group adopts a double-extortion approach, encrypting systems post-data exfiltration, and demanding cryptocurrency payments to wallet addresses provided. Refusal prompts threats of data publication on their Tor network leak site.
MITRE Techniques Used
Initial Access
Valid Accounts (T1078)
Exploit Public Facing Application (T1190)
External Remote Services (T1133)
Discovery
System Network Configuration Discovery (T1016)
Software Discovery: Security Software Discovery (T1518.001)
Defense Evasion
Impair Defenses: Disable or Modify Tools (T1562.001)
Indicator Removal: Clear Windows Event Logs (T1070.001)
Credential Access
Unsecured Credentials (T1552)
OS Credential Dumping (T1003)
Lateral Movement
Lateral Tool Transfer (T1570)
Command and Control
Domain Policy Modification: Group Policy Modification (T1484.001)
Collection
Archive Collected Data: Archive via Utility (T1560.001)
Exfiltration
Exfiltration Over Alternative Protocol (T1048)
Impact
Data Encrypted for Impact (T1486)
Financial Theft (T1657)
MITIGATIONS
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
Use longer passwords consisting of at least 8 characters and no more than 64 characters in length;
Store passwords in hashed format using industry-recognized password managers;
Add password user “salts” to shared login credentials;
Avoid reusing passwords;
Implement multiple failed login attempt account lockouts;
Disable password “hints”;
Refrain from requiring password changes more frequently than once per year.
Note: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
Require administrator credentials to install software.
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. .
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems. Organizations are advised to deploy the latest Microsoft Exchange security updates. If unable to patch, then disable Outlook Web Access (OWA) until updates are able to be undertaken. .
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents actors from directly connecting to remote access services they have established for persistence. .
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
Disable unused ports.
Consider adding an email banner to emails received from outside your organization.
Disable hyperlinks in received emails.
Implement time-based access for accounts set at the admin level and higher. For example, the just-in-time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Maintain offline backups of data and regularly maintain backup and restoration. By instituting this practice, an organization ensures they will not be severely interrupted, and/or only have irretrievable data.
Ensure backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the FBI, CISA, and ASD’s ACSC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and ASD’s ACSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Tables 3-11).
Align your security technologies against this technique.
Test your technologies against this technique.
Analyze your detection and prevention technologies performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI, CISA, and ASD’s ACSC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Significant Attacks
- Oakland City Services Struggle to Recover From Ransomware Attack (February 2023)
- Ransomware group behind Oakland attack targets city in Massachusetts (May 2023)
- Switzerland warns that a ransomware gang may have accessed government data (June 2023)
- Play Ransomware Group Targeting MSPs Worldwide in New Campaign (August 2023)
- Dallas County reviewing data leaked by ransomware gang (November 2023)
- Swiss government had around 65,000 files related to it stolen by the Play ransomware gang during an attack on an IT supplier (Friday 2024)
References:
- Swiss cheese security? Play ransomware gang milks government of 65,000 files
- StopRansomware: Play Ransomware
- Play Ransomware’s Attack Playbook Similar to that of Hive, Nokoyawa
- Ransomware Roundup – Play
- Play Ransomware Goes Commercial – Now Offered as a Service to Cybercriminals
- Play Ransomware Group Using New Custom Data-Gathering Tools
