The Federal Bureau of Investigation says the Play ransomware gang has breached roughly 300 organizations worldwide between June 2022 and October 2023, some of them critical infrastructure entities.
The warning comes as a joint advisory issued in partnership with CISA and the Australian Signals Directorate's Australian Cyber Security Centre.
The Play ransomware operation surfaced in June 2022, after the first victims reached out for help in BleepingComputer's forums.
In contrast to typical ransomware operations, Play ransomware affiliates opt for email communication as their negotiation channel and will not provide victims a Tor negotiations page link in ransom notes left on compromised systems.
Before deploying ransomware, they will steal sensitive documents from compromised systems, which they use to pressure victims into paying ransom demands under the threat of leaking the stolen data online.
The gang is also using a custom VSS Copying Tool helps steal files from shadow volume copies even when those files are in use by applications.
Recent high-profile Play ransomware victims include the City of Oakland in California, car retailer giant Arnold Clark, cloud computing company Rackspace, and the Belgian city of Antwerp.
In guidance issued today by the FBI, CISA, and ASD's ACSC, organizations are urged to prioritize addressing known vulnerabilities that have been exploited to reduce their likelihood of being used in Play ransomware attacks.
Network defenders are also strongly advised to implement multifactor authentication across all services, focusing on webmail, VPN, and accounts with access to critical systems.
Regular updating and patching of software and applications to their most recent versions and routine vulnerability assessments should be part of all organizations' standard security practices.
The three government agencies also advise security teams to implement the mitigation measures shared with today's joint advisory.
FBI and CISA warn of opportunistic Rhysida ransomware attacks.
FBI: Royal ransomware asked 350 victims to pay $275 million.
CISA urges tech manufacturers to stop using default passwords.
Norton Healthcare discloses data breach after May ransomware attack.
Navy contractor Austal USA confirms cyberattack after data leak.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 18 Dec 2023 16:25:12 +0000