The Play ransomware group was responsible for around 300 successful attacks since June 2022, according to a joint cybersecurity advisory by the US and Australian governments.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) said the ransomware group has targeted a range of businesses and critical infrastructure in North America, South America and Europe from June 2022 and October 2023.
In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023.
How the Play Group Operates
The agencies believe Play is a closed group, a statement on the threat actor’s data leak website claims to “guarantee the secrecy of deals.”
The group employs a double-extortion model, exfiltrating victims’ data before encrypting systems. Its ransom notes do not contain a payment demand or instructions, with victims instead instructed to contact them at an email address ending in @gmx[.]de.
Payments are then made in cryptocurrency to wallet addresses provided by the attackers. The Play group threatens to publish exfiltrated data to its leak site on the Tor network to pressure victims into paying.
It’s methods of gaining initial access to organizations’ network are through the abuse of valid accounts and exploitation of public-facing applications, as well as using external facing services such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN).
Once in the network, the group uses tools to disable anti-virus software and log files. It then employs command and control (C2) applications, such as Cobalt Strike, to assist with lateral movement and file execution.
The threat actors search for unsecured credentials and use the Mimikatz credential dumper to gain domain administrator access.
To exfiltrate data, the attackers often split the compromised data into segments and use tools like WinRAR to compress files into .RAR format. They then use WinSCP to transfer the data to actor-controlled accounts.
Finally, the files are encrypted with AES-RSA hybrid encryption, with a .play extension added to file names and a ransom note title ReadMe[.]txt placed in file directory C:.
How to Protect Against the Play Threat
The FBI, CISA, and ASD’s ACSC set out a range of measures for all critical infrastructure organizations and network defenders to defend against the Play group’s tactics, including:
- Implement a data recovery plan. Organizations should maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented and secure location
- Require all accounts to adopt password best practices. Organizations should follow National Institute of Standards and Technology (NIST) standards in this area, such as using longer passwords of at least eight characters and storing passwords in industry recognized password managers
- Require multi-factor authentication for all services. This is particularly important for webmail, VPNs and accounts that access critical systems
- Keep all operating systems, software and firmware up to date. Organizations should prioritize patching known exploited vulnerabilities in internet-facing systems
- Segment networks. This can help prevent the spread of ransomware by controlling traffic flows between and access to various subnetworks
- Monitor and investigate abnormal activity. Organizations should implement a tool that logs and reports all network traffic, including lateral movement activity
- Filter network traffic. Preventing unknown or untrusted origins from accessing remote services on internal systems stops threat actors from directly connecting to remote access services
- Validate security controls. Organizations are advised to test their security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework