The PLAY Ransomware Group: Tactics, Targets, and Impact
The PLAY ransomware group, also known as Playcrypt, has emerged as a significant threat in the cybersecurity landscape. This group has been active since at least June 2022 and has targeted a wide range of businesses and critical infrastructure across North America, South America, and Europe. As of October 2023, approximately 300 entities have reportedly been exploited by PLAY ransomware actors.
Initial Access and Tactics
PLAY ransomware actors gain initial access to victim networks primarily through two methods:
- Abuse of Valid Accounts: They obtain and misuse existing account credentials.
- Exploitation of Public-Facing Applications: They exploit vulnerabilities in internet-facing systems, particularly known vulnerabilities in FortiOS and Microsoft Exchange.
Once inside the network, PLAY actors use various tools for discovery and defense evasion. They employ tools like AdFind for Active Directory queries and Grixba, an information-stealer, to enumerate network information and scan for anti-virus software. They also use tools like GMER, IOBit, and PowerTool to disable anti-virus software and remove log files.
Lateral Movement and Execution
For lateral movement and execution, PLAY actors use command and control applications like Cobalt Strike and SystemBC. They also utilize tools such as PsExec for lateral movement and file execution. The group searches for unsecured credentials and uses the Mimikatz credential dumper to gain domain administrator access. They further use Windows Privilege Escalation Awesome Scripts (WinPEAS) to search for additional privilege escalation paths and distribute executables via Group Policy Objects.
Exfiltration and Encryption
Before encrypting the victim's data, PLAY actors often split the data into segments and use tools like WinRAR to compress files into .RAR format for exfiltration. They then use WinSCP to transfer data from the compromised network to actor-controlled accounts. The encryption process involves AES-RSA hybrid encryption with intermittent encryption, encrypting every other file portion of 0x100000 bytes, and skipping system files. The encrypted files are appended with a .play extension, and a ransom note titled ReadMe[.]txt is placed in the file directory.
Double-Extortion Model
The PLAY ransomware group employs a double-extortion model. They encrypt systems after exfiltrating data and direct victims to contact them via email for ransom payment instructions. If the ransom is not paid, they threaten to publish the exfiltrated data on their leak site on the Tor network.
Financial Impact
Ransom payments are demanded in cryptocurrency, and the specific wallet addresses are provided by PLAY actors. The exact amount of ransom collected by the group is not specified in the advisory.
Mitigations
The advisory recommends several mitigations to reduce the risk of compromise by PLAY ransomware:
- Implement a recovery plan with offline backups.
- Require multifactor authentication for all services.
- Keep all operating systems, software, and firmware up to date.
- Segment networks to prevent the spread of ransomware.
- Use network monitoring tools to detect abnormal activity.
- Filter network traffic to prevent direct connections to remote services.
- Install and update antivirus software on all hosts.
- Regularly review domain controllers, servers, workstations, and active directories for unrecognized accounts.
The advisory emphasizes the importance of secure-by-design principles in software development and advises organizations to follow the Cross-Sector Cybersecurity Performance Goals developed by CISA and NIST.
Conclusion
The PLAY ransomware group represents a sophisticated and evolving threat in the cybersecurity domain. Their tactics, techniques, and procedures (TTPs) highlight the need for robust cybersecurity measures and constant vigilance by organizations to protect against such threats.
