Play ransomware, also referred to as PlayCrypt, represents an advanced and evolving cyber threat. Noted for its global impact, this ransomware group employs a double-extortion model, encrypting systems after exfiltrating sensitive data. Known from mid-2022, the group and malware have shown increased sophistication and activity since this past June.
Description:
Play’s operations have targeted a broad spectrum of organizations spanning North America (United States, Canada), South America (Brazil, Argentina), and Europe (Germany, Belgium, Switzerland, and more), with a significant focus on critical infrastructure sectors such as manufacturing, healthcare, and retail. The group uses double extortion tactics, encrypting organizational data and threatening to publish it on public Tor-based sites.
The attackers often gain access by abusing existing account credentials and exploiting weaknesses in Remote Desktop Protocol (RDP) servers and Fortinet SSL VPNs. They also use tools such as Grixba to map out network configurations and identify antivirus software. More recently, the group has developed and deployed a Linux variant of the ransomware component, targeting vulnerable VMWare ESXi environments. This variant went undetected for a while until being reported on by Trend Micro, rapidly expanding the group’s victim base and extortion capabilities.
The group behind Play frequently seeks out and exploits insecurely stored credentials on compromised networks, using tools like Mimikatz for credential dumping. Ultimately, they encrypt all the data and utilize double extortion to demand ransom payments. The ransom note left by Play is notably simplistic, featuring solely the word “PLAY” alongside an email address for victim communication, typically located at the root of the hard drive (often C:).
Recommendations:
To prevent PlayCrypt and other ransomware attacks, it is recommended to take the following measures:
- Keep ESXi environments and associated management software up to date to protect against known vulnerabilities.
- Back up your data regularly and store it offline or separately, to restore it without paying the ransom if infection occurs.
- Install updates for operating systems, software and firmware as soon as they are released.
- Require phishing-resistant, non-SMS-based multi-factor authentication for as many services as possible.
- Limit user privileges and access to the minimum necessary for their roles. This can reduce the risk of ransomware spreading to other devices or systems through compromised accounts.
- Use secure passwords to avoid credential leakage.
- Educate users to both recognize and report phishing attempts.
If compromise is detected, organizations should:
- Quarantine or take potentially affected hosts offline.
- Reimage compromised hosts.
- Provision new account credentials.
- Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
References:
- https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html
- https://malpedia.caad.fkie.fraunhofer.de/details/win.play
- https://www.virustotal.com/gui/collection/malpedia_win_play
- https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/
- https://bazaar.abuse.ch/browse/signature/PLAY/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a