The Play ransomware group, also going by the name Playcrypt, has been affecting several kinds of North American, South American, and European enterprises as well as vital infrastructure since June 2022.
The FBI learned of about 300 impacted companies as of October 2023 that the ransomware attackers allegedly took advantage of.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) issued a joint advisory to disseminate IOCs and TTPs discovered as recently as October 2023 by the Play ransomware group.
The Play ransomware incident was initially noted in Australia in April 2023, and it was most recently detected in November 2023.
A statement on the Play ransomware group’s data leak website states that the group is thought to be closed and created to “guarantee the secrecy of deals.”
The threat actors using play ransomware utilize a double-extortion strategy, first gaining access to computers and then encrypting data.
The initial ransom demand and payment instructions are not included in ransom notes; instead, victims are told to email the threat actors.
By abusing legitimate accounts and taking advantage of public-facing applications, the Play ransomware group first gains access to victim networks. Specifically, this is accomplished through known vulnerabilities in Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]) and FortiOS (CVE-2018-13379 and CVE-2020-12812).
It has been noted that most ransomware actors initially gain access through external-facing services like Virtual Private Networks (VPN) and Remote Desktop Protocol (RDP).
Actors in play ransomware employ tools such as AdFind to execute Active Directory queries and Grixba, an information-stealer, to enumerate network information and scan for anti-virus software.
Additionally, actors utilize tools like GMER, IOBit, and PowerTool to remove log files and disable antivirus software.
To mitigate the possibility and effect of ransomware outbreaks, companies are encouraged by the FBI, CISA, and ASD’s ACSC to implement the recommendations provided in the Mitigations.
A critical authentication bypass vulnerability in SonicWall firewalls, tracked as CVE-2024-53704, is now being actively…
Researchers have identified a new backdoor malware, written in Go programming language, that leverages Telegram…
A recently discovered Python script has been flagged as a potential cybersecurity threat due to…
A website launched by Elon Musk's Department of Government Efficiency (DOGE) has been found to…
The notorious Lazarus Group, a North Korean Advanced Persistent Threat (APT) group, has been linked…
Job seekers have become the target of a sophisticated ransomware campaign in a recent cybersecurity…