Threat Research

#StopRansomware: Play Ransomware | CISA

CISA

Play (also known as Playcrypt) is a ransomware group that has targeted organizations across the Americas and Europe since mid-2022, using exploited internet-facing services, valid credentials, and remote access tools to gain access, move laterally, exfiltrate data, and deploy ransomware. Their operations use tools such as Cobalt Strike and SystemBC for C2, Mimikatz for credential dumping, and intermittent AES‑RSA encryption that appends a .play extension to encrypted files. #Play #Playcrypt #SystemBC #CobaltStrike #Mimikatz

Keypoints

  • Play ransomware actors gained initial access via valid accounts, exploitation of FortiOS and Microsoft Exchange vulnerabilities, and abuse of external remote services like RDP and VPN.
  • Actors performed discovery with tools such as AdFind and Grixba to enumerate Active Directory and network configurations and to locate security software.
  • Defense-evasion techniques included disabling antivirus (GMER, IOBit, PowerTool), clearing Windows event logs, and using PowerShell to target Microsoft Defender.
  • Lateral movement and execution used Cobalt Strike and SystemBC for C2, PsExec for remote execution, distribution via Group Policy Objects, and credential harvesting with Mimikatz.
  • Data exfiltration involved splitting/compressing files with WinRAR and transferring them via WinSCP; encryption used an intermittent AES‑RSA hybrid (every other 0x100000 bytes) and added a .play extension.
  • Play employs a double‑extortion model, directing victims to contact an @gmx[.]de email and threatening publication on a Tor (.onion) leak site.
  • Recommended mitigations include multifactor authentication, timely patching (especially Exchange/FortiOS), network segmentation, EDR monitoring, and offline immutable backups.

MITRE Techniques

  • [T1078] Valid Accounts – Play obtained and abused existing account credentials to gain initial access (‘Play ransomware actors obtain and abuse existing account credentials to gain initial access.’).
  • [T1190] Exploit Public-Facing Application – Actors exploited FortiOS and Microsoft Exchange (ProxyNotShell) vulnerabilities to access networks (‘specifically through known FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell (CVE-2022-41040 and CVE-2022-41082)) vulnerabilities’).
  • [T1133] External Remote Services – Actors used remote access services such as RDP and VPN for initial access (‘Play ransomware actors have used remote access services, such as RDP/VPN connection to gain initial access.’).
  • [T1016] System Network Configuration Discovery – Actors used tools like Grixba to enumerate network information and configurations (‘an information-stealer, to enumerate network information’).
  • [T1518.001] Software Discovery: Security Software Discovery – Play scanned for anti‑virus/security software (‘and scan for anti-virus software’).
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Actors used GMER, IOBit, and PowerTool to disable anti‑virus software (‘use tools like GMER, IOBit, and PowerTool to disable anti-virus software’).
  • [T1070.001] Indicator Removal: Clear Windows Event Logs – Actors removed log files to hide activity (‘and remove log files’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Actors used PowerShell scripts to target Microsoft Defender (‘cybersecurity researchers have observed Play ransomware actors using PowerShell scripts to target Microsoft Defender’).
  • [T1003] OS Credential Dumping – Actors used Mimikatz to dump credentials and gain domain admin access (‘use the Mimikatz credential dumper to gain domain administrator access’).
  • [T1059] Command and Scripting Interpreter (WinPEAS) – Actors used WinPEAS to search for privilege escalation paths (‘to further enumerate vulnerabilities, Play ransomware actors use Windows Privilege Escalation Awesome Scripts (WinPEAS) to search for additional privilege escalation paths’).
  • [T1570] Lateral Tool Transfer – Actors distributed executables across the environment for lateral movement (‘Actors then distribute executables via Group Policy Objects’).
  • [T1484.001] Domain Policy Modification: Group Policy Modification – Actors used GPOs to deploy executables across domain systems (‘distribute executables via Group Policy Objects’).
  • [T1560.001] Archive Collected Data: Archive via Utility – Actors compressed exfiltrated data using WinRAR into .RAR archives (‘use tools like WinRAR to compress files into .RAR format for exfiltration’).
  • [T1048] Exfiltration Over Alternative Protocol – Actors transferred data using WinSCP to actor-controlled accounts (‘then use WinSCP to transfer data from a compromised network to actor-controlled accounts’).
  • [T1486] Data Encrypted for Impact – Actors encrypted files with an AES‑RSA hybrid using intermittent encryption and appended a .play extension (‘files are encrypted with AES-RSA hybrid encryption using intermittent encryption… A .play extension is added to file names’).
  • [T1657] Financial Theft (Double Extortion) – Actors used a double‑extortion model, exfiltrating data then demanding ransom and threatening leak publication (‘encrypting systems after exfiltrating data’ and threatening to publish exfiltrated data to their leak site on the Tor network).

Indicators of Compromise

  • [SHA256 hashes] Play-related binaries and tools – 453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb, 47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57, and 7 more hashes.
  • [CVE identifiers] Exploited vulnerabilities used for initial access – CVE-2018-13379, CVE-2020-12812, and 2 more CVEs (CVE-2022-41040, CVE-2022-41082).
  • [Email address/domain] Ransom contact point – actor contact addresses ending in @gmx[.]de.
  • [File names / extensions] Ransom note and encrypted file marker – ReadMe[.]txt ransom note and files appended with the .play extension.
  • [Protocols / destinations] Leak site and transfer methods – Tor (.onion) leak site for data publication and use of WinSCP for exfiltration.

Play actors gain access via compromised credentials, exploitation of internet-facing services (notably FortiOS and Microsoft Exchange ProxyNotShell CVEs), and by abusing remote-access services (RDP/VPN). After access, they enumerate AD and network configurations using AdFind, Grixba, and other scanners to locate security products and valuable targets.

For persistence and lateral movement, Play used Cobalt Strike and SystemBC for C2, PsExec and GPOs for remote execution and distribution, and Mimikatz and credential discovery to escalate privileges. They disabled or modified defensive tools (GMER, IOBit, PowerTool), cleared event logs, and used PowerShell scripts to target Microsoft Defender to evade detection.

For data theft and impact, Play compressed data into .RAR segments (WinRAR), exfiltrated via WinSCP to actor-controlled accounts, then encrypted files using an intermittent AES‑RSA hybrid (encrypting alternate 0x100000-byte blocks), appending .play to filenames and dropping a ReadMe[.]txt ransom note. Recommended technical controls include enforcing MFA, applying Exchange/FortiOS patches, enabling EDR/network monitoring, segmenting networks, and maintaining immutable offline backups.

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint