Are They Really Playing? Get to Know Play Ransomware
PLAY Ransomware
  • Table of contents

The author

user_image
Coral Tayar
Share on LinkedIn

Security Researcher at Cyberint

Table of contents

Related Articles

Akira Ransomware
Research

Akira Ransomware: Published Over 30 New Victims on their DLS

Akira, a rising ransomware-as-a-service star was discovered in March 2023. Since then its victim count...
Nov 18, 2024
Learn more
Coral
Research

Not Your Grandfather’s Hacktivists: How Hacktivism Has Evolved

Fig 1: Crowd Sourcing to campaign against Israel Fig 2: Crowdsourcing to campaign against Russia...
Nov 14, 2024
Learn more
Research

Are They Really Playing? Get to Know Play Ransomware

Jan 16, 2024

Play is a recent entrant into the realm of ransomware, with its initial appearance being identified in June 2022. In this context, “Play” encompasses both the entity responsible for its development and distribution, as well as the name of the executable used for the ransomware. Following a pattern observed among numerous actors in this domain, Play has embraced the strategy of double extortion. This approach involves encrypting vital endpoints or infrastructure within an organization and subsequently issuing a threat to release exfiltrated data from these systems onto the internet unless a ransom is provided.

Victimology of Play Ransomware

The leak site data indicates that the IT industry was most targeted by Play’s attacks, followed by transportation. Other affected organizations include those in the construction and materials industry, as well as government entities. Most recent victims include Becker Furniture World, Waldner’s, Packaging Solutions, Jon Richard, Succes Schoonmaak, California Innovations, Capespan, GreenWaste Recovery, Kuriyama of America, GVM and Vitro Plus in December.

Swiss authorities were engaged in an investigation into a cyberattack that targeted the Bern-based IT firm, Xplain. This attack had repercussions on various federal and cantonal government entities that were associated with the same IT company. Among these affected organizations were:

  • The cantonal police
  • The Swiss army
  • Customs
  • The Federal Office of Police (Fedpol).

The responsibility for this attack has been claimed by the Play Ransomware group, who went on to disclose the stolen data from both Fedpol and the Federal Office for Customs and Border Security (FOCBS) on a dark web forum.

In response to the incident, the impacted parties, namely Fedpol and FOCBS, have sought to downplay its severity. Fedpol specifically indicated that the accessed data consisted solely of simulated and anonymous test data. On the other hand, FOCBS acknowledged that the exposed information included communications with clients.

Play Ransomware has expanded its list of compromised entities on its leak site, asserting that it has successfully breached additional companies. Following the cyberattack on Xplain, the roster of targeted organizations now encompasses other IT service providers such as:

  • Paragon Software Lanka
  • Soroc Technology
  • A cloud hosting provider named Black Cat Networks

Globalcaja, a prominent Spanish bank headquartered in Albacete, has officially acknowledged a ransomware incident that is impacting several of its offices. With a widespread presence encompassing over 300 branches across Spain, the bank serves a substantial customer base of almost 500,000 individuals.

Attributed to the Play ransomware group, the attack has been accompanied by a statement announcing the theft of sensitive and confidential data. This includes a range of materials such as client and employee documents, passports, and contractual agreements.

ransomania

Malware, Tools & TTPs of Play Ransomware

The Play ransomware group has expanded their arsenal by incorporating several fresh tools and exploits. These include vulnerabilities such as ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution. In more recent developments, the group has also adopted additional tools like Grixba, a tailored network scanner and information theft tool, as well as the open-source VSS management tool AlphaVSS.

The Play ransomware group employs various strategies to gain initial access to their targets. These strategies include:

  • Exploiting valid accounts, including virtual private network (VPN) accounts, that may have been reused across multiple platforms, exposed in previous incidents, or illicitly acquired.
  • Making use of exposed remote desktop protocol (RDP) servers to establish a foothold in the targeted systems.

In addition to these methods, the Play ransomware actors have taken advantage of vulnerabilities in FortiOS. These include CVE-2018-13379, a path traversal vulnerability in the FortiOS SSL VPN web portal that permits an unauthenticated attacker to download OS system files through specially crafted HTTP requests. Another exploited vulnerability is CVE-2020-12812, which is an improper authentication flaw in FortiOS SSL VPN. This flaw allows a user to log in without undergoing the second factor of authentication (FortiToken) if they modify the case of their username.

Furthermore, the Play ransomware group has leveraged new CVEs for initial access. These newly exploited vulnerabilities encompass ProxyNotShell (CVE-2022-41040), a server-side request forgery (SSRF) vulnerability enabling an authenticated attacker to remotely trigger another vulnerability, CVE-2022-41082. Also, OWASSRF (CVE-2022-41080), a novel exploit method for Microsoft Exchange Server introduced after the ProxyNotShell patch, and Microsoft Exchange Server Remote Code Execution (CVE-2022-41082), a subsequent exploit following ProxyNotShell and OWASSRF. The latter aims to achieve remote code execution using the respective PowerShell endpoints of each vulnerability.

Play Ransomware Community

Play Group posts on their official DLS (data leak site) all the information regarding their attacks and victims.

Play Ransomware TTPs

Execution Technique
Execution Windows Command Shell
T1059.003 – Windows Command Shell
Defense Evasion Match Legitimate Name or Location
T1036.005 – Match Legitimate Name or Location
Exfiltration Exfiltration Over C2 Channel
T1041 – Exfiltration Over C2 Channel
Exfiltration Scheduled Transfer
T1029 – Scheduled Transfer
Exfiltration Exfiltration Over Web Service
T1567 – Exfiltration Over Web Service
Privilege Escalation Registry Run Keys / Startup Folder
T1547.001 – Registry Run Keys / Startup Folder
Persistence Registry Run Keys / Startup Folder
T1547.001 – Registry Run Keys / Startup Folder
Execution Service Execution
T1569.002 – Service Execution
Privilege Escalation Shortcut Modification
T1547.009 – Shortcut Modification
Persistence Shortcut Modification
T1547.009 – Shortcut Modification
Privilege Escalation Valid Accounts
T1078 – Valid Accounts
Initial Access Valid Accounts
T1078 – Valid Accounts
Defense Evasion Valid Accounts
T1078 – Valid Accounts
Persistence Valid Accounts
T1078 – Valid Accounts
Execution PowerShell
T1059.001 – PowerShell
Initial Access Spearphishing Link
T1566.002 – Spearphishing Link
Discovery Internet Connection Discovery
T1016.001 – Internet Connection Discovery
Initial Access Spearphishing Attachment
T1566.001 – Spearphishing Attachment
Impact Data Encrypted for Impact
T1486 – Data Encrypted for Impact
Initial Access Supply Chain Compromise
T1195 – Supply Chain Compromise
Collection Local Email Collection
T1114.001 – Local Email Collection
Defense Evasion Binary Padding
T1027.001 – Binary Padding
Exfiltration Automated Exfiltration
T1020 – Automated Exfiltration
Exfiltration Transfer Data to Cloud Account
T1537 – Transfer Data to Cloud Account
Initial Access Exploit Public-Facing Application
T1190 – Exploit Public-Facing Application

 

About Cyberint

Cyberint, the Impactful Intelligence company, reduces risk by helping organizations detect and mitigate external cyber threats before they have an adverse impact. The Cyberint Argos platform’s patented technology provides superior visibility through continuous discovery of the evolving attack surface, combined with the automated collection and analysis of vast quantities of intelligence from across the open, deep and dark web. A team of global military-grade cybersecurity experts work alongside customers to rapidly detect, investigate, and disrupt relevant threats – before they have the chance to develop into major incidents.

Global customers, including Fortune 500 leaders across all major market verticals, rely on Cyberint to protect themselves from an array of external risks, including vulnerabilities, misconfigurations, phishing, impersonation attacks, malware infections, exposed credentials, data leaks, fraud, and 3rd party risks.

Schedule a Demo

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start