The Play ransomware group, which was behind such high-profile attacks as those on the city of Oakland, California, and Dallas County, Texas, is behind at least 300 similar cyber-incidents since June 2022, according to government cybersecurity agencies in the United States and Australia.
The U.S. Cybersecurity and Infrastructure Security Agency and the FBI, joined by the Australian Signals Directorate's Australian Cyber Security Centre, issued an advisory this week warning organizations about the prolific threat group, which has target critical infrastructure entities in North America, South America, and Europe.
The double-extortion group, also known as PlayCrypt and BalloonFly, was first seen in Australia in April, with the most recent incident arising in November.
The agencies said they wanted to alert organizations to their tactics and techniques as well as give recommendations for mitigating against the threat.
According to a report earlier this year, Symantec's Threat Hunter Team wrote that Play was among the first threat groups to use intermittent encryption, in which attackers encrypt only a part of the content in targeted files.
Using the technique, hackers encrypted only part of the data in the files, enabling them to encrypt the filers more quickly while still making the data unrecoverable.
At the time, the Symantec researchers said Play didn't seem to be running as a ransomware-as-a-service.
Researchers with Adlumin said in a report last month that has changed, with the ransomware offered to others as a service.
They also noted that small and midsize companies are being targeted by the Play operators and are particularly at risk.
According to the advisory from CISA and the other agencies, the Play group gains initial access into organizations' networks by abusing valid accounts and exploiting public-facing applications through known flaws in FortiOS and Microsoft Exchange, including ProxyNotShell - also tracked as CVE-2022-41040 - and CVE-2022-41082, a remote code execution bug.
Once in, the bad actors use tools like AdFind to run Active Directory queries and the Grixba info-stealer to grab data from the network and scan for antivirus software.
They also use GMER, IOBit, and PowerTool to disable such software and remote log files, and also have ued PowerShell scripts to target Microsoft Defender.
For lateral movement and file execution, the Play operators use Cobalt Strike, SystemBC, and PsExec.
Once on the network, the threat actors search for unsecured credentials and use the MimiKatz for credential dumping to get domain administrator access.
They also been known to use Windows Privilege Escalation Awesome Scripts to find other privilege execution paths.
They then distribute executables through Group Policy Objects.
The Play hackers demand payment in cryptocurrency, directing victims to wallet addresses, with threats of exposing the stolen data on their leak site if the ransom isn't paid.
The.play extension is added to encrypted files.
The Play operators rose to prominence via attacks in South America, including Brazil, and then expanded its reach.
Researchers with the cybersecurity also wrote about Play's possible link to other ransomware families, like Hive and Nokoyawa, including some shared tactics and tools.
This Cyber News was published on securityboulevard.com. Publication date: Tue, 19 Dec 2023 19:43:05 +0000