Cyber Security News

Play Ransomware Infected Over 300 Organizations Worldwide : FBI Warns

The Play ransomware group, also going by the name Playcrypt, has been affecting several kinds of North American, South American, and European enterprises as well as vital infrastructure since June 2022.

The FBI learned of about 300 impacted companies as of October 2023 that the ransomware attackers allegedly took advantage of.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) issued a joint advisory to disseminate IOCs and TTPs discovered as recently as October 2023 by the Play ransomware group.

Specifics of the Play Ransomware Group

The Play ransomware incident was initially noted in Australia in April 2023, and it was most recently detected in November 2023.

A statement on the Play ransomware group’s data leak website states that the group is thought to be closed and created to “guarantee the secrecy of deals.”

The threat actors using play ransomware utilize a double-extortion strategy, first gaining access to computers and then encrypting data.

The initial ransom demand and payment instructions are not included in ransom notes; instead, victims are told to email the threat actors.

By abusing legitimate accounts and taking advantage of public-facing applications, the Play ransomware group first gains access to victim networks. Specifically, this is accomplished through known vulnerabilities in Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]) and FortiOS (CVE-2018-13379 and CVE-2020-12812).

It has been noted that most ransomware actors initially gain access through external-facing services like Virtual Private Networks (VPN) and Remote Desktop Protocol (RDP).

Actors in play ransomware employ tools such as AdFind to execute Active Directory queries and Grixba, an information-stealer, to enumerate network information and scan for anti-virus software.

Additionally, actors utilize tools like GMER, IOBit, and PowerTool to remove log files and disable antivirus software.

Mitigation

  • Prioritize remediating known exploited vulnerabilities.
  • Enable multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
  • Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.

To mitigate the possibility and effect of ransomware outbreaks, companies are encouraged by the FBI, CISA, and ASD’s ACSC to implement the recommendations provided in the Mitigations.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

SonicWall Firewall Authentication Bypass Vulnerability Exploited in Wild Following PoC Release

A critical authentication bypass vulnerability in SonicWall firewalls, tracked as CVE-2024-53704, is now being actively…

17 hours ago

New Go-Based Malware Exploits Telegram and Use It as C2 Channel

Researchers have identified a new backdoor malware, written in Go programming language, that leverages Telegram…

1 day ago

Beware of Fake BSOD Delivered by Malicious Python Script

A recently discovered Python script has been flagged as a potential cybersecurity threat due to…

1 day ago

Elon Musk’s DOGE Website Database Vulnerability Let Anyone Make Entries Directly

A website launched by Elon Musk's Department of Government Efficiency (DOGE) has been found to…

2 days ago

Lazarus Group Infostealer Malwares Attacking Developers In New Campaign

The notorious Lazarus Group, a North Korean Advanced Persistent Threat (APT) group, has been linked…

2 days ago

XELERA Ransomware Attacking Job Seekers With Weaponized Word Documents

Job seekers have become the target of a sophisticated ransomware campaign in a recent cybersecurity…

2 days ago