Play Ransomware Detection: Ongoing Ransomware Attacks Against Businesses and Critical Infrastructure in the U.S., South America, and Europe

Veronika Telychko
Latest posts by Veronika Telychko (see all)
WRITTEN BY
Veronika Telychko
[post-views]
December 19, 2023 · 4 min read
Play Ransomware Detection

At the end of November 2023, leading U.S. cybersecurity agencies, in collaboration with international partners, issued an alert covering LockBit 3.0 ransomware attacks as part of their #StopRansomware effort aimed at boosting cybersecurity awareness. Recently, another joint Cybersecurity Advisory came out aimed at notifying defenders of the ongoing attacks by the Play ransomware group. In this alert, AA23-352A, FBI, CISA, and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) shed light on the malicious activity of the Play ransomware operators that are believed to have compromised at least 300 entities throughout their targeted attacks.

Detecting Play Ransomware Attacks

With more advanced tactics, techniques, and procedures leveraged by ransomware operators, cybersecurity practitioners require a reliable source of detection content to overspeed the adversaries and detect attacks at the earliest possible stages. SOC Prime Platform for collective cyber defense aggregates a set of detection algorithms helping identify tools typically used by Play ransomware maintainers and malicious activity leading to potential infection. 

The collection of 20 Sigma rules tailored for Play ransomware detection is compatible with 28 SIEM, EDR, EDR, and Data Lake solutions. All the rules are mapped to the MITRE ATT&CK® framework and enriched with extensive metadata, including CTI links, attack timelines, triage recommendations, etc. Just hit the Explore Detections button below and drill down to a batch of curated detections to streamline your threat investigation. 

Explore Detections

Additionally, defenders can also rely on detection algorithms for ProxyNotShell vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082) that are leveraged by  Play ransomware actors at the initial access stage. 

Play Ransomware Attack Analysis

On December 18, 2023, FBI, CISA, and ASD’s ACSC released a new alert covering the ongoing offensive operations by the Play ransomware group, also known as Playcrypt. 

Since the summer of 2022, the Playcrypt ransomware operators have targeted multiple businesses and critical infrastructure across the U.S., South America, and Europe. In October 2023, the FBI uncovered roughly 300 entities affected by the group’s ransomware attacks. In Australia, Play ransomware was first identified in the mid-spring of 2023.

The Play ransomware group belongs to a highly confidential offensive unit that employs a double-extortion model. Adversaries encrypt systems and perform data exfiltration prior to sending ransom notes. The latter don’t provide payment guidelines directly. Play ransomware operators prefer a more covert way of communication by prompting their victims to contact them via email. Payments for the ransom are demanded in cryptocurrency and are to be sent to wallet addresses specified by the Play actors. Provided that a victim declines to pay the ransom, adversaries threaten them to disclose exfiltrated data on their leak site on the Tor network.

As mitigation measures, defenders recommend following the best security practices, such as implementing multifactor authentication, regularly creating offline backups of data, establishing a comprehensive recovery plan, and making sure the system and software are always up-to-date while relying on regular patching.

Play ransomware operators commonly gain initial access by abusing legitimate accounts and weaponizing vulnerabilities in public-facing instances, especially setting their eyes on FortiOS (CVE-2018-13379 and CVE-2020-12812) and ProxyNotShell vulnerability exploits. Also, they take advantage of RDP and VPN at the initial access phase. 

For detection evasion, the Play ransomware group applies an AdFind utility and a Grixba info-stealer, as well as PowerTool to disable anti-virus software and remove log files. To facilitate lateral movement and file execution, adversaries leverage C2 applications, such as Cobalt Strike and SystemBC, along with utilities like PsExec. Further on, they employ the Mimikatz credential dumper to acquire domain administrator access.

The increasing volumes of tricky attacks attributed to the Play ransomware group require ultra-responsiveness from the defensive forces to prioritize remediating the threats. Log in to SOC Prime Platform to equip your team with over 900 pieces of detection content for proactive cyber defense against critical ransomware attacks of any sophistication.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.
Join for Free Book a Meeting

Related Posts

Forest Blizzard (aka Fancy Bear or APT28)
Blog, Latest Threats — 4 min read
Forest Blizzard aka Fancy Bear Attack Detection: russian-backed Hackers Apply a Custom GooseEgg Tool to Exploit CVE-2022-38028 in Attacks Against Ukraine, Western Europe, and North America
Veronika Telychko
UAC-0133 (Sandworm) Reemerges
Blog, Latest Threats — 5 min read
UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine
Veronika Telychko
UAC-0149
Blog, Latest Threats — 3 min read
UAC-0149 Attacks Ukrainian Defense Forces Using Signal, CVE-2023-38831 Exploits, and COOKBOX Malware
Daryna Olyniychuk