Ransomware Group

PLAY

With its recent shift to a Ransomware-as-a-Service (RaaS) model, PLAY – also known as PlayCrypt – is now targeting Managed Service Providers (MSPs) worldwide, and has affected more than 300 entities.

Is Your Organization Safe from PLAY Ransomware Attacks?

The Origin of PLAY

The PLAY ransomware group, suspected to have Russian ties based on their use of encryption techniques characteristic of Russian-affiliated cybercrime outfits, surfaced in 2022 with a distinctive '.play' file extension for their encryption activities.

PLAY shares similarities with Hive and Nokayawa. A notable commonality is their utilization of AdFind, a command-line utility designed to gather data from Active Directory, underscoring their similar operational behaviors.

Source: Trend Micro and OCD

Targets

PLAY's Targets

Countries targeted by PLAY

Primarily focusing their cyber assaults in Germany, the group has also extended its reach to compromise targets across the United States, Brazil, Argentina, Portugal, Belgium, and Switzerland.

Source: Trend Micro

Industries Targeted by PLAY

PLAY’s activities predominantly revolve around the telecommunications and healthcare industries, though it has not spared organizations within the Media/Communication, Transportation, Construction, and Government sectors.

Source: Trend Micro

Industries Targeted by PLAY

PLAY’s activities predominantly revolve around the telecommunications and healthcare industries, though it has not spared organizations within the Media/Communication, Transportation, Construction, and Government sectors.

Source: Trend Micro

PLAY's Victims

To date, more than 436 victims have fallen prey to its malicious operations.

Source: ransomware.live

Demo

See How Vectra AI Detects a Ransomware Attack

TTPs & Tools

PLAY’s Attack Method

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

PLAY obtains access using legitimate accounts and exploits vulnerabilities in FortiOS and Microsoft Exchange.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

PLAY escalates privileges using tools like Mimikatz and adds users to admin groups.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

PLAY evades defenses by disabling antivirus programs, erasing logs, and employing intermittent encryption.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.

PLAY uses Mimikatz to dump credentials, executed as module of Cobalt Strike and Empirer.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

PLAY conducts Active Directory queries using AdFind and Bloodhound, and network enumeration with Grixba.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.

PLAY spreads laterally using Cobalt Strike and SystemBC, and executes files via Group Policy Objects.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.

PLAY deploys Empire, System BC, Cobalt Strike, PsExec, and batch files for execution.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.

For exfiltration and encryption, PLAY segments data, uses WinRAR and WinSCP, and employs AES-RSA hybrid encryption with the '.play' extension.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

Impacting systems with double-extortion tactics, PLAY demands cryptocurrency ransoms and threatens data leak if not paid.

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.
Initial Access

PLAY obtains access using legitimate accounts and exploits vulnerabilities in FortiOS and Microsoft Exchange.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.
Privilege Escalation

PLAY escalates privileges using tools like Mimikatz and adds users to admin groups.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.
Defense Evasion

PLAY evades defenses by disabling antivirus programs, erasing logs, and employing intermittent encryption.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.
Credential Access

PLAY uses Mimikatz to dump credentials, executed as module of Cobalt Strike and Empirer.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.
Discovery

PLAY conducts Active Directory queries using AdFind and Bloodhound, and network enumeration with Grixba.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.
Lateral Movement

PLAY spreads laterally using Cobalt Strike and SystemBC, and executes files via Group Policy Objects.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
Collection
A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
Execution

PLAY deploys Empire, System BC, Cobalt Strike, PsExec, and batch files for execution.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.
Exfiltration

For exfiltration and encryption, PLAY segments data, uses WinRAR and WinSCP, and employs AES-RSA hybrid encryption with the '.play' extension.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.
Impact

Impacting systems with double-extortion tactics, PLAY demands cryptocurrency ransoms and threatens data leak if not paid.

MITRE ATT&CK Mapping

TTPs used by PLAY

PLAY strategically attacks backup systems to leave victims without alternative data recovery options, employing meticulous strategies to eliminate backup capabilities.

TA0001: Initial Access
T1190
Exploit Public-Facing Application
T1133
External Remote Services
T1078
Valid Accounts
TA0002: Execution
No items found.
TA0003: Persistence
T1078
Valid Accounts
TA0004: Privilege Escalation
T1484
Group Policy Modification
T1078
Valid Accounts
TA0005: Defense Evasion
T1070
Indicator Removal
T1562
Impair Defenses
T1484
Group Policy Modification
T1078
Valid Accounts
TA0006: Credential Access
T1552
Unsecured Credentials
T1003
OS Credential Dumping
TA0007: Discovery
T1518
Software Discovery
T1016
System Network Configuration Discovery
TA0008: Lateral Movement
T1570
Lateral Tool Transfer
TA0009: Collection
T1560
Archive Collected Data
TA0011: Command and Control
No items found.
TA0010: Exfiltration
T1048
Exfiltration Over Alternative Protocol
TA0040: Impact
T1657
Financial Theft
T1486
Data Encrypted for Impact
Platform Detections

How to Detect PLAY with Vectra AI

List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.

FAQs

What is the PLAY Ransomware Group?

The PLAY Ransomware Group is a cybercriminal organization known for deploying ransomware to encrypt victims' files, demanding ransom payments for decryption keys. They often target organizations with weak security postures.

How does PLAY ransomware infect systems?

PLAY ransomware typically infects systems through phishing emails, exploit kits, and compromised credentials, exploiting vulnerabilities to gain access and deploy their payload.

What sectors are most at risk from PLAY ransomware attacks?

While PLAY ransomware has targeted a broad range of sectors, critical infrastructure, healthcare, and financial services have been particularly vulnerable due to the sensitive nature of their data.

What are the indicators of compromise (IoCs) associated with PLAY ransomware?

IoCs for PLAY ransomware include unusual network traffic, suspicious registry key modifications, ransom notes, and file extensions related to the malware.

How can SOC teams detect and respond to PLAY ransomware?

SOC teams should employ advanced threat detection solutions, conduct regular network traffic analysis, and implement threat detection and response systems. Immediate isolation of infected systems and execution of a response plan are crucial.

What are the best practices for preventing PLAY ransomware infections?

Best practices include regular software updates, employee cybersecurity awareness training, robust email filtering, and the use of multi-factor authentication (MFA) to protect against phishing and credential compromise.

Can data encrypted by PLAY ransomware be decrypted without paying the ransom?

While specific decryption tools for PLAY ransomware may not always be available, consulting cybersecurity experts and exploring available decryption tools for similar ransomware variants is advised before considering ransom payments.

How does the PLAY ransomware group operate financially?

The PLAY group operates on a ransom model, demanding payments often in cryptocurrencies. They may also engage in double extortion tactics, threatening to leak stolen data if the ransom is not paid.

What should be included in a response plan for a PLAY ransomware attack?

A response plan should include immediate isolation of affected systems, identification of the ransomware strain, communication protocols, data recovery procedures from backups, and legal considerations for ransom payments.

How can organizations collaborate with law enforcement following a PLAY ransomware attack?

Organizations should report the incident to local or national cybersecurity authorities, providing detailed information about the attack without compromising ongoing operations or data privacy laws.