- Table of contents
The author
Security Researcher at Cyberint
Table of contents
Related Articles
Are They Really Playing? Get to Know Play Ransomware
Play has now become a ransomware veteren, with its initial appearance being identified in June 2022. In this context, “Play” encompasses both the entity responsible for its development and distribution, as well as the name of the executable used for the ransomware. Following a pattern observed among numerous actors in this domain, Play has embraced the strategy of double extortion. This approach involves encrypting vital endpoints or infrastructure within an organization and subsequently issuing a threat to release exfiltrated data from these systems onto the internet unless a ransom is provided.
May 2025
Over the last week, the Play Ransomware group targeted 10 organizations in the United States. Play is known by targeting mostly the United States over the last two years. For instance, in April only, the group attacked over 40 organization in the United States. The victims are from various industries such as: Business services, Technology, Automotive,, Education, Critical Infrastructure and Manufacturing. It should concern all organization in the United States
Victimology of Play Ransomware
Play mostly targets business services, retail and Manufacturing, with the majority of attacks targeting US companies. Other affected organizations include those in transportation, finance and the automotive industry.
Swiss authorities were engaged in an investigation into a cyberattack that targeted a Bern-based IT firm, This attack had repercussions on various federal and cantonal government entities that were associated with the same IT company. Among these affected organizations were:
- The cantonal police
- The Swiss army
- Customs
- The Federal Office of Police (Fedpol).
The responsibility for this attack has been claimed by the Play Ransomware group, who went on to disclose the stolen data from both Fedpol and the Federal Office for Customs and Border Security (FOCBS) on a dark web forum.
In response to the incident, the impacted parties, namely Fedpol and FOCBS, have sought to downplay its severity. Fedpol specifically indicated that the accessed data consisted solely of simulated and anonymous test data. On the other hand, FOCBS acknowledged that the exposed information included communications with clients.
Play Ransomware has expanded its list of compromised entities on its leak site, asserting that it has successfully breached additional companies. Following the cyberattack on Xplain, the roster of targeted organizations now encompasses other IT service providers such as:
- Paragon Software Lanka
- Soroc Technology
- A cloud hosting provider named Black Cat Networks
Globalcaja, a prominent Spanish bank headquartered in Albacete, has officially acknowledged a ransomware incident that is impacting several of its offices. With a widespread presence encompassing over 300 branches across Spain, the bank serves a substantial customer base of almost 500,000 individuals.
Attributed to the Play ransomware group, the attack has been accompanied by a statement announcing the theft of sensitive and confidential data. This includes a range of materials such as client and employee documents, passports, and contractual agreements.
Malware, Tools & TTPs of Play Ransomware
The Play ransomware group has expanded their arsenal by incorporating several fresh tools and exploits. These include vulnerabilities such as ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution. In more recent developments, the group has also adopted additional tools like Grixba, a tailored network scanner and information theft tool, as well as the open-source VSS management tool AlphaVSS.
The Play ransomware group employs various strategies to gain initial access to their targets. These strategies include:
- Exploiting valid accounts, including virtual private network (VPN) accounts, that may have been reused across multiple platforms, exposed in previous incidents, or illicitly acquired.
- Making use of exposed remote desktop protocol (RDP) servers to establish a foothold in the targeted systems.
In addition to these methods, the Play ransomware actors have taken advantage of vulnerabilities in FortiOS. These include CVE-2018-13379, a path traversal vulnerability in the FortiOS SSL VPN web portal that permits an unauthenticated attacker to download OS system files through specially crafted HTTP requests. Another exploited vulnerability is CVE-2020-12812, which is an improper authentication flaw in FortiOS SSL VPN. This flaw allows a user to log in without undergoing the second factor of authentication (FortiToken) if they modify the case of their username.
Furthermore, the Play ransomware group has leveraged new CVEs for initial access. These newly exploited vulnerabilities encompass ProxyNotShell (CVE-2022-41040), a server-side request forgery (SSRF) vulnerability enabling an authenticated attacker to remotely trigger another vulnerability, CVE-2022-41082. Also, OWASSRF (CVE-2022-41080), a novel exploit method for Microsoft Exchange Server introduced after the ProxyNotShell patch, and Microsoft Exchange Server Remote Code Execution (CVE-2022-41082), a subsequent exploit following ProxyNotShell and OWASSRF. The latter aims to achieve remote code execution using the respective PowerShell endpoints of each vulnerability.
Play Ransomware Community
Play Group posts on their official DLS (data leak site) all the information regarding their attacks and victims.
Play Ransomware TTPs
| Execution | Technique |
|---|---|
| Execution | Windows Command Shell T1059.003 – Windows Command Shell |
| Defense Evasion | Match Legitimate Name or Location T1036.005 – Match Legitimate Name or Location |
| Exfiltration | Exfiltration Over C2 Channel T1041 – Exfiltration Over C2 Channel |
| Exfiltration | Scheduled Transfer T1029 – Scheduled Transfer |
| Exfiltration | Exfiltration Over Web Service T1567 – Exfiltration Over Web Service |
| Privilege Escalation | Registry Run Keys / Startup Folder T1547.001 – Registry Run Keys / Startup Folder |
| Persistence | Registry Run Keys / Startup Folder T1547.001 – Registry Run Keys / Startup Folder |
| Execution | Service Execution T1569.002 – Service Execution |
| Privilege Escalation | Shortcut Modification T1547.009 – Shortcut Modification |
| Persistence | Shortcut Modification T1547.009 – Shortcut Modification |
| Privilege Escalation | Valid Accounts T1078 – Valid Accounts |
| Initial Access | Valid Accounts T1078 – Valid Accounts |
| Defense Evasion | Valid Accounts T1078 – Valid Accounts |
| Persistence | Valid Accounts T1078 – Valid Accounts |
| Execution | PowerShell T1059.001 – PowerShell |
| Initial Access | Spearphishing Link T1566.002 – Spearphishing Link |
| Discovery | Internet Connection Discovery T1016.001 – Internet Connection Discovery |
| Initial Access | Spearphishing Attachment T1566.001 – Spearphishing Attachment |
| Impact | Data Encrypted for Impact T1486 – Data Encrypted for Impact |
| Initial Access | Supply Chain Compromise T1195 – Supply Chain Compromise |
| Collection | Local Email Collection T1114.001 – Local Email Collection |
| Defense Evasion | Binary Padding T1027.001 – Binary Padding |
| Exfiltration | Automated Exfiltration T1020 – Automated Exfiltration |
| Exfiltration | Transfer Data to Cloud Account T1537 – Transfer Data to Cloud Account |
| Initial Access | Exploit Public-Facing Application T1190 – Exploit Public-Facing Application |
About Cyberint
Cyberint, the Impactful Intelligence company, reduces risk by helping organizations detect and mitigate external cyber threats before they have an adverse impact. The Cyberint Argos platform’s patented technology provides superior visibility through continuous discovery of the evolving attack surface, combined with the automated collection and analysis of vast quantities of intelligence from across the open, deep and dark web. A team of global military-grade cybersecurity experts work alongside customers to rapidly detect, investigate, and disrupt relevant threats – before they have the chance to develop into major incidents.
Global customers, including Fortune 500 leaders across all major market verticals, rely on Cyberint to protect themselves from an array of external risks, including vulnerabilities, misconfigurations, phishing, impersonation attacks, malware infections, exposed credentials, data leaks, fraud, and 3rd party risks.
