PLAY
With its recent shift to a Ransomware-as-a-Service (RaaS) model, PLAY – also known as PlayCrypt – is now targeting Managed Service Providers (MSPs) worldwide, and has affected more than 300 entities.
The Origin of PLAY
The PLAY ransomware group, suspected to have Russian ties based on their use of encryption techniques characteristic of Russian-affiliated cybercrime outfits, surfaced in 2022 with a distinctive '.play' file extension for their encryption activities.
PLAY shares similarities with Hive and Nokayawa. A notable commonality is their utilization of AdFind, a command-line utility designed to gather data from Active Directory, underscoring their similar operational behaviors.
Source: Trend Micro and OCD
Targets
PLAY's Targets
Countries targeted by PLAY
Primarily focusing their cyber assaults in Germany, the group has also extended its reach to compromise targets across the United States, Brazil, Argentina, Portugal, Belgium, and Switzerland.
Source: Trend Micro
Industries Targeted by PLAY
PLAY’s activities predominantly revolve around the telecommunications and healthcare industries, though it has not spared organizations within the Media/Communication, Transportation, Construction, and Government sectors.
Source: Trend Micro
Industries Targeted by PLAY
PLAY’s activities predominantly revolve around the telecommunications and healthcare industries, though it has not spared organizations within the Media/Communication, Transportation, Construction, and Government sectors.
Source: Trend Micro
PLAY's Victims
To date, more than 436 victims have fallen prey to its malicious operations.
Source: ransomware.live
Attack Method
PLAY’s Attack Method
PLAY obtains access using legitimate accounts and exploits vulnerabilities in FortiOS and Microsoft Exchange.
PLAY escalates privileges using tools like Mimikatz and adds users to admin groups.
PLAY evades defenses by disabling antivirus programs, erasing logs, and employing intermittent encryption.
PLAY uses Mimikatz to dump credentials, executed as module of Cobalt Strike and Empirer.
PLAY conducts Active Directory queries using AdFind and Bloodhound, and network enumeration with Grixba.
PLAY spreads laterally using Cobalt Strike and SystemBC, and executes files via Group Policy Objects.
PLAY deploys Empire, System BC, Cobalt Strike, PsExec, and batch files for execution.
For exfiltration and encryption, PLAY segments data, uses WinRAR and WinSCP, and employs AES-RSA hybrid encryption with the '.play' extension.
Impacting systems with double-extortion tactics, PLAY demands cryptocurrency ransoms and threatens data leak if not paid.
Initial Access
PLAY obtains access using legitimate accounts and exploits vulnerabilities in FortiOS and Microsoft Exchange.
Privilege Escalation
PLAY escalates privileges using tools like Mimikatz and adds users to admin groups.
Defense Evasion
PLAY evades defenses by disabling antivirus programs, erasing logs, and employing intermittent encryption.
Credential Access
PLAY uses Mimikatz to dump credentials, executed as module of Cobalt Strike and Empirer.
Discovery
PLAY conducts Active Directory queries using AdFind and Bloodhound, and network enumeration with Grixba.
Lateral Movement
PLAY spreads laterally using Cobalt Strike and SystemBC, and executes files via Group Policy Objects.
Collection
Execution
PLAY deploys Empire, System BC, Cobalt Strike, PsExec, and batch files for execution.
Exfiltration
For exfiltration and encryption, PLAY segments data, uses WinRAR and WinSCP, and employs AES-RSA hybrid encryption with the '.play' extension.
Impact
Impacting systems with double-extortion tactics, PLAY demands cryptocurrency ransoms and threatens data leak if not paid.
MITRE ATT&CK Mapping
TTPs used by PLAY
PLAY strategically attacks backup systems to leave victims without alternative data recovery options, employing meticulous strategies to eliminate backup capabilities.
TA0001: Initial Access
T1190
Exploit Public-Facing Application
T1133
External Remote Services
T1078
Valid Accounts
TA0002: Execution
No items found.
TA0003: Persistence
T1078
Valid Accounts
TA0004: Privilege Escalation
T1484
Group Policy Modification
T1078
Valid Accounts
TA0005: Defense Evasion
T1070
Indicator Removal
T1562
Impair Defenses
T1484
Group Policy Modification
T1078
Valid Accounts
TA0006: Credential Access
T1552
Unsecured Credentials
T1003
OS Credential Dumping
TA0007: Discovery
T1518
Software Discovery
T1016
System Network Configuration Discovery
TA0008: Lateral Movement
T1570
Lateral Tool Transfer
TA0009: Collection
T1560
Archive Collected Data
TA0011: Command and Control
No items found.
TA0010: Exfiltration
T1048
Exfiltration Over Alternative Protocol
TA0040: Impact
T1657
Financial Theft
T1486
Data Encrypted for Impact
Platform Detections
How to Detect PLAY with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.
FAQs
What is the PLAY Ransomware Group?
The PLAY Ransomware Group is a cybercriminal organization known for deploying ransomware to encrypt victims' files, demanding ransom payments for decryption keys. They often target organizations with weak security postures.
How does PLAY ransomware infect systems?
PLAY ransomware typically infects systems through phishing emails, exploit kits, and compromised credentials, exploiting vulnerabilities to gain access and deploy their payload.
What sectors are most at risk from PLAY ransomware attacks?
While PLAY ransomware has targeted a broad range of sectors, critical infrastructure, healthcare, and financial services have been particularly vulnerable due to the sensitive nature of their data.
What are the indicators of compromise (IoCs) associated with PLAY ransomware?
IoCs for PLAY ransomware include unusual network traffic, suspicious registry key modifications, ransom notes, and file extensions related to the malware.
How can SOC teams detect and respond to PLAY ransomware?
SOC teams should employ advanced threat detection solutions, conduct regular network traffic analysis, and implement threat detection and response systems. Immediate isolation of infected systems and execution of a response plan are crucial.
What are the best practices for preventing PLAY ransomware infections?
Best practices include regular software updates, employee cybersecurity awareness training, robust email filtering, and the use of multi-factor authentication (MFA) to protect against phishing and credential compromise.
Can data encrypted by PLAY ransomware be decrypted without paying the ransom?
While specific decryption tools for PLAY ransomware may not always be available, consulting cybersecurity experts and exploring available decryption tools for similar ransomware variants is advised before considering ransom payments.
How does the PLAY ransomware group operate financially?
The PLAY group operates on a ransom model, demanding payments often in cryptocurrencies. They may also engage in double extortion tactics, threatening to leak stolen data if the ransom is not paid.
What should be included in a response plan for a PLAY ransomware attack?
A response plan should include immediate isolation of affected systems, identification of the ransomware strain, communication protocols, data recovery procedures from backups, and legal considerations for ransom payments.
How can organizations collaborate with law enforcement following a PLAY ransomware attack?
Organizations should report the incident to local or national cybersecurity authorities, providing detailed information about the attack without compromising ongoing operations or data privacy laws.