The Play ransomware group, also going by the name Playcrypt, has been affecting several kinds of North American, South American, and European enterprises as well as vital infrastructure since June 2022.
The FBI learned of about 300 impacted companies as of October 2023 that the ransomware attackers allegedly took advantage of.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) issued a joint advisory to disseminate IOCs and TTPs discovered as recently as October 2023 by the Play ransomware group.
The Play ransomware incident was initially noted in Australia in April 2023, and it was most recently detected in November 2023.
A statement on the Play ransomware group’s data leak website states that the group is thought to be closed and created to “guarantee the secrecy of deals.”
The threat actors using play ransomware utilize a double-extortion strategy, first gaining access to computers and then encrypting data.
The initial ransom demand and payment instructions are not included in ransom notes; instead, victims are told to email the threat actors.
By abusing legitimate accounts and taking advantage of public-facing applications, the Play ransomware group first gains access to victim networks. Specifically, this is accomplished through known vulnerabilities in Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]) and FortiOS (CVE-2018-13379 and CVE-2020-12812).
It has been noted that most ransomware actors initially gain access through external-facing services like Virtual Private Networks (VPN) and Remote Desktop Protocol (RDP).
Actors in play ransomware employ tools such as AdFind to execute Active Directory queries and Grixba, an information-stealer, to enumerate network information and scan for anti-virus software.
Additionally, actors utilize tools like GMER, IOBit, and PowerTool to remove log files and disable antivirus software.
To mitigate the possibility and effect of ransomware outbreaks, companies are encouraged by the FBI, CISA, and ASD’s ACSC to implement the recommendations provided in the Mitigations.
ServiceNow recently disclosed three critical vulnerabilities (CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178) affecting multiple Now Platform versions,…
A newly discovered vulnerability in Google Cloud Platform (GCP) has raised significant security concerns among…
The PKfail vulnerability is a significant security issue affecting over 200 device models of Secure…
A vulnerability in OpenStack's Nova component has been identified, potentially allowing hackers to gain unauthorized…
A North Korean military intelligence operative has been indicted for orchestrating a series of cyberattacks…
RA World, an emerging ransomware group, has been increasingly active since March 2024, using a…