Play Ransomware Attacking Organizations

The ransomware attacks are becoming more frequent and rapidly increasing in size as well.

This alarming pace of ransomware is significantly concerning the thousands of private and public organizations around the world across several industries. 

Threat actors target all sorts of organizations globally by leveraging loopholes and unpatched security vulnerabilities to gain access and encrypt their data.

Each day, more than 200K+ fresh ransomware strains were detected and reported, implying 140 new strains per minute evade detection, causing significant damage to organizations and individuals.

The cybersecurity researchers at Symantec recently detected the Play ransomware (aka PlayCrypt) attacking both private and public organizations across several industries globally.

Play Ransomware Attacking Private & Public Organizations

Balloonfly, a group tracked by Symantec, developed Play ransomware, accountable for several attacks that are high-profile in nature, and it was launched in June 2022.

Play, like many ransomware groups, conducts dual-extortion attacks, exfiltrating victim network data prior to encryption. Initially targeting Latin American organizations, primarily Brazil; however, later, the ransomware gang swiftly expanded its targeting scope.

Besides this, the Play ransomware is a prominent player in the current threat landscape since it rivals the most notorious variants like:-

In recent weeks, over 25 victims fell prey to the gang, spanning diverse industries types and organizations of all sizes in both public and private segments.

Play ransomware employs various infection vectors, leveraging known vulnerabilities such as ProxyNotShell and purchasing access to the infrastructure via stolen credentials from previously successful threat actors.

Tools Used

Here below, we have mentioned all the tools that are used for lateral movement and persistence by the operators of Play ransomware:-

With all the necessary instructions on how to pay the ransom, the Play ransomware generates a ransom note dubbed “ReadMe.txt” after successfully encrypting all the files with the, “PLAY” extension.

The ransom note generally directs the victims to an Onion website or an email address for communication, and the note itself often contains the “Play” word along with a link to the Onion website.

Apart from this, the Play ransomware group has become one of the first groups to adopt this stealthy technique by using the intermittent encryption technique. 

While this technique enables the threat actors to encrypt all the systems of the users rapidly, selectively encrypting portions of targeted file content ensures irretrievable data even with partial encryption.

“AI-based email security measures Protect your business From Email Threats!” – .

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.