Play Ransomware Detection: Ongoing Ransomware Attacks Against Businesses and Critical Infrastructure in the U.S., South America, and Europe
At the end of November 2023, leading U.S. cybersecurity agencies, in collaboration with international partners, issued an alert covering LockBit 3.0 ransomware attacks as part of their #StopRansomware effort aimed at boosting cybersecurity awareness. Recently, another joint Cybersecurity Advisory came out aimed at notifying defenders of the ongoing attacks by the Play ransomware group. In this alert, AA23-352A, FBI, CISA, and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) shed light on the malicious activity of the Play ransomware operators that are believed to have compromised at least 300 entities throughout their targeted attacks.
Detecting Play Ransomware Attacks
With more advanced tactics, techniques, and procedures leveraged by ransomware operators, cybersecurity practitioners require a reliable source of detection content to overspeed the adversaries and detect attacks at the earliest possible stages. SOC Prime Platform for collective cyber defense aggregates a set of detection algorithms helping identify tools typically used by Play ransomware maintainers and malicious activity leading to potential infection.
The collection of 20 Sigma rules tailored for Play ransomware detection is compatible with 28 SIEM, EDR, EDR, and Data Lake solutions. All the rules are mapped to the MITRE ATT&CK® framework and enriched with extensive metadata, including CTI links, attack timelines, triage recommendations, etc. Just hit the Explore Detections button below and drill down to a batch of curated detections to streamline your threat investigation.
Additionally, defenders can also rely on detection algorithms for ProxyNotShell vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082) that are leveraged by Play ransomware actors at the initial access stage.
Play Ransomware Attack Analysis
On December 18, 2023, FBI, CISA, and ASD’s ACSC released a new alert covering the ongoing offensive operations by the Play ransomware group, also known as Playcrypt.
Since the summer of 2022, the Playcrypt ransomware operators have targeted multiple businesses and critical infrastructure across the U.S., South America, and Europe. In October 2023, the FBI uncovered roughly 300 entities affected by the group’s ransomware attacks. In Australia, Play ransomware was first identified in the mid-spring of 2023.
The Play ransomware group belongs to a highly confidential offensive unit that employs a double-extortion model. Adversaries encrypt systems and perform data exfiltration prior to sending ransom notes. The latter don’t provide payment guidelines directly. Play ransomware operators prefer a more covert way of communication by prompting their victims to contact them via email. Payments for the ransom are demanded in cryptocurrency and are to be sent to wallet addresses specified by the Play actors. Provided that a victim declines to pay the ransom, adversaries threaten them to disclose exfiltrated data on their leak site on the Tor network.
As mitigation measures, defenders recommend following the best security practices, such as implementing multifactor authentication, regularly creating offline backups of data, establishing a comprehensive recovery plan, and making sure the system and software are always up-to-date while relying on regular patching.
Play ransomware operators commonly gain initial access by abusing legitimate accounts and weaponizing vulnerabilities in public-facing instances, especially setting their eyes on FortiOS (CVE-2018-13379 and CVE-2020-12812) and ProxyNotShell vulnerability exploits. Also, they take advantage of RDP and VPN at the initial access phase.
For detection evasion, the Play ransomware group applies an AdFind utility and a Grixba info-stealer, as well as PowerTool to disable anti-virus software and remove log files. To facilitate lateral movement and file execution, adversaries leverage C2 applications, such as Cobalt Strike and SystemBC, along with utilities like PsExec. Further on, they employ the Mimikatz credential dumper to acquire domain administrator access.
What to do next
If you need help in getting detection engineering in place to detect these types of attacks then please get in touch via our contact page or you can set up a 30 minute no obligation call via my calendar link below.