Play Ransomware Has Hit 300 Entities Worldwide: FBI

The Play ransomware group, which was behind such high-profile attacks as those on the city of Oakland, California, and Dallas County, Texas, is behind at least 300 similar cyber-incidents since June 2022, according to government cybersecurity agencies in the United States and Australia.
The U.S. Cybersecurity and Infrastructure Security Agency and the FBI, joined by the Australian Signals Directorate's Australian Cyber Security Centre, issued an advisory this week warning organizations about the prolific threat group, which has target critical infrastructure entities in North America, South America, and Europe.
The double-extortion group, also known as PlayCrypt and BalloonFly, was first seen in Australia in April, with the most recent incident arising in November.
The agencies said they wanted to alert organizations to their tactics and techniques as well as give recommendations for mitigating against the threat.
According to a report earlier this year, Symantec's Threat Hunter Team wrote that Play was among the first threat groups to use intermittent encryption, in which attackers encrypt only a part of the content in targeted files.
Using the technique, hackers encrypted only part of the data in the files, enabling them to encrypt the filers more quickly while still making the data unrecoverable.
At the time, the Symantec researchers said Play didn't seem to be running as a ransomware-as-a-service.
Researchers with Adlumin said in a report last month that has changed, with the ransomware offered to others as a service.
They also noted that small and midsize companies are being targeted by the Play operators and are particularly at risk.
According to the advisory from CISA and the other agencies, the Play group gains initial access into organizations' networks by abusing valid accounts and exploiting public-facing applications through known flaws in FortiOS and Microsoft Exchange, including ProxyNotShell - also tracked as CVE-2022-41040 - and CVE-2022-41082, a remote code execution bug.
Once in, the bad actors use tools like AdFind to run Active Directory queries and the Grixba info-stealer to grab data from the network and scan for antivirus software.
They also use GMER, IOBit, and PowerTool to disable such software and remote log files, and also have ued PowerShell scripts to target Microsoft Defender.
For lateral movement and file execution, the Play operators use Cobalt Strike, SystemBC, and PsExec.
Once on the network, the threat actors search for unsecured credentials and use the MimiKatz for credential dumping to get domain administrator access.
They also been known to use Windows Privilege Escalation Awesome Scripts to find other privilege execution paths.
They then distribute executables through Group Policy Objects.
The Play hackers demand payment in cryptocurrency, directing victims to wallet addresses, with threats of exposing the stolen data on their leak site if the ransom isn't paid.
The.play extension is added to encrypted files.
The Play operators rose to prominence via attacks in South America, including Brazil, and then expanded its reach.
Researchers with the cybersecurity also wrote about Play's possible link to other ransomware families, like Hive and Nokoyawa, including some shared tactics and tools.


This Cyber News was published on securityboulevard.com. Publication date: Tue, 19 Dec 2023 19:43:05 +0000


Cyber News related to Play Ransomware Has Hit 300 Entities Worldwide: FBI

The Week in Ransomware - Earlier this month, the BlackCat/ALPHV ransomware operation suffered a five-day disruption to their Tor data leak and negotiation sites, rumored to be caused by a law enforcement action. The FBI revealed this week that they hacked the BlackCat/ALPHV ...
11 months ago Bleepingcomputer.com
FBI: ALPHV ransomware raked in $300 million from over 1,000 victims - The ALPHV/BlackCat ransomware gang has made over $300 million in ransom payments from more than 1,000 victims worldwide as of September 2023, according to the Federal Bureau of Investigation. In the joint advisory published today in collaboration ...
1 year ago Bleepingcomputer.com
How the FBI seized BlackCat ransomware's servers - An unsealed FBI search warrant revealed how law enforcement hijacked the ALPHV/BlackCat ransomware operations websites and seized the associated URLs. Today, the US Department of Justice confirmed that they seized websites for the ALPHV ransomware ...
1 year ago Bleepingcomputer.com
Play Ransomware Has Hit 300 Entities Worldwide: FBI - The Play ransomware group, which was behind such high-profile attacks as those on the city of Oakland, California, and Dallas County, Texas, is behind at least 300 similar cyber-incidents since June 2022, according to government cybersecurity ...
1 year ago Securityboulevard.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
11 months ago Securityboulevard.com
FBI: Play ransomware breached 300 victims, including critical orgs - The Federal Bureau of Investigation says the Play ransomware gang has breached roughly 300 organizations worldwide between June 2022 and October 2023, some of them critical infrastructure entities. The warning comes as a joint advisory issued in ...
1 year ago Bleepingcomputer.com
US Congress Report Calls for Privacy Reforms After FBI Surveillance 'Abuses' - The FBI and the Biden administration at large have lobbied Congress to reauthorize the 702 program as is, ignoring calls for reform that have grown louder since the beginning of the year, manifesting this month in the form of a comprehensive privacy ...
1 year ago Wired.com
FBI Alarmed as Ransomware Strikes 300 Victims, Critical Sectors Under Siege - There was an advisory published late on Monday about the Play ransomware gang that was put out by the Federal Bureau of Investigation together with the US Cybersecurity and Infrastructure Security Agency and the Australian Cyber Security Centre. The ...
1 year ago Cysecurity.news
FBI: Royal ransomware asked 350 victims to pay $275 million - The FBI and CISA revealed in a joint advisory that the Royal ransomware gang has breached the networks of at least 350 organizations worldwide since September 2022. In an update to the original advisory published in March with additional information ...
1 year ago Bleepingcomputer.com
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
The Limitations of Google Play Integrity API - This overview outlines the history and use of Google Play Integrity API and highlights some limitations. We also compare and contrast Google Play Integrity API with the comprehensive mobile security offered by Approov. Google provides app attestation ...
1 year ago Securityboulevard.com
Play Ransomware Infected Over 300 Organizations Worldwide - The Play ransomware group, also going by the name Playcrypt, has been affecting several kinds of North American, South American, and European enterprises as well as vital infrastructure since June 2022. The FBI learned of about 300 impacted companies ...
1 year ago Cybersecuritynews.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
11 months ago Feeds.fortinet.com
Waiting for the BlackCat rebrand - We saw another ransomware operation shut down this week after first getting breached by law enforcement and then targeting critical infrastructure, putting them further in the spotlight of the US government. While the Tor onion domain seizure was a ...
9 months ago Bleepingcomputer.com
CVE-2019-10923 - A vulnerability has been identified in SIMATIC S7-400 CPU 414-3 PN/DP V7, SIMATIC S7-400 CPU 414F-3 PN/DP V7, SIMATIC S7-400 CPU 416-3 PN/DP V7, SIMATIC S7-400 CPU 416F-3 PN/DP V7, Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet ...
1 year ago
CVE-2019-13940 - A vulnerability has been identified in SIMATIC ET 200pro IM154-8 PN/DP CPU (All versions < V3.X.17), SIMATIC ET 200pro IM154-8F PN/DP CPU (All versions < V3.X.17), SIMATIC ET 200pro IM154-8FX PN/DP CPU (All versions < V3.X.17), SIMATIC ET ...
1 year ago
CVE-2019-10936 - A vulnerability has been identified in SIMATIC S7-400 CPU 414-3 PN/DP V7, SIMATIC S7-400 CPU 414F-3 PN/DP V7, SIMATIC S7-400 CPU 416-3 PN/DP V7, SIMATIC S7-400 CPU 416F-3 PN/DP V7, Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet ...
1 year ago
CVE-2022-25622 - A vulnerability has been identified in SIMATIC CFU DIQ, SIMATIC CFU PA, SIMATIC ET 200pro IM154-8 PN/DP CPU, SIMATIC ET 200pro IM154-8F PN/DP CPU, SIMATIC ET 200pro IM154-8FX PN/DP CPU, SIMATIC ET 200S IM151-8 PN/DP CPU, SIMATIC ET 200S IM151-8F ...
1 year ago
CVE-2019-19300 - A vulnerability has been identified in Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 (All versions), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P (All versions), KTK ATE530S (All versions), SIDOOR ATD430W (All versions), ...
1 year ago
CVE-2018-4843 - A vulnerability has been identified in SIMATIC S7-400 CPU 414-3 PN/DP V7 (All versions < V7.0.3), SIMATIC S7-400 CPU 414F-3 PN/DP V7 (All versions < V7.0.3), SIMATIC S7-400 CPU 416-3 PN/DP V7 (All versions < V7.0.3), SIMATIC S7-400 CPU ...
1 year ago
Dozens of countries will pledge to stop paying ransomware gangs - An alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying ransoms demanded by cybercriminal groups. Addressing reporters on Monday, Anne Neuberger, ...
1 year ago Bleepingcomputer.com
The Week in Ransomware - This week was pretty quiet on the ransomware front, with most of the attention on the seizure of the BreachForums data theft forum. That does not mean there was nothing of interest released this week about ransomware. A report by CISA said that the ...
7 months ago Bleepingcomputer.com
BlackCat Ransomware Raises Ante After FBI Disruption - The U.S. Federal Bureau of Investigation disclosed today that it infiltrated the world's second most prolific ransomware gang, a Russia-based criminal group known as ALPHV and BlackCat. The FBI said it seized the gang's darknet website, and released ...
1 year ago Krebsonsecurity.com
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
11 months ago Unit42.paloaltonetworks.com
FBI disrupts Blackcat ransomware operation, creates decryption tool - The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operation's servers to monitor their activities and obtain decryption keys. On December 7th, BleepingComputer first reported that the ALPHV, aka ...
1 year ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)