Dec 20^th – Since June of 2022, the Play ransomware group has conducted 300 successful cyber attacks, according to a joint advisory published by the U.S. and Australian governments.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC), have warned that the group has targeted a range of businesses and critical infrastructure entities across the U.S., Europe, Australia and South America.

Initial access

The Play group engages in double-extortion tactics, encrypting victim’s systems and exfiltrating data. It threatens to publish the data on its Tor leak site unless a ransom is paid.

To obtain initial access to an organization’s network, Play abuses valid accounts and exploits public-facing applications. It also uses external-facing services, such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN).

After wheedling into the network, the group disables anti-virus software and log files. Cobalt Strike and/or other command and control (C2) applications are then deployed in order to assist with lateral movement and file execution.

The hackers proceed to search for unsecured credentials and use the Mimikatz credential dumper to obtain domain administrator access.

Data exfiltration

These hackers are after data. To get what they want, the hackers often split the compromised data into segments and use tools like WinRaR as a means of compressing files into the .RAR format.

Afterwards, they use WinSCP to move the data into hacker-controlled digital spaces. The files are then encrypted with AES-RSA hybrid encryption, with a .play extension added to the file names and a ransom note is placed in file directory C.

Targets are told to contact the Play gang via an email address that ends in @gmx[.]de and to use cryptocurrency in order to deliver a ransom payment.

Preventing Play ransomware

For network defenders, tactics to put into action include:

• Requiring multi-factor authentication for all services. This is of particular significance in relation to webmail, VPNs and accounts that access critical systems.
• Maintaining up-to-date systems. Prioritize patching of known, exploited vulnerabilities in internet-facing systems.
• Network segmentation. This enables security staff to control traffic flows between various subnetworks, potentially preventing the spread of ransomware.
• Validating security controls. Test security programs against threat behaviors mapped to the Play ransomware group, as enumerated in the MITRE ATT&CK for Enterprise framework.
• Developing a data recovery plan. This nearly goes without saying — all organizations should maintain data backups in a physically separate, segmented and secure location.