Threat Research

Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa

Securonix

Play is a new ransomware family that mirrors Hive and Nokoyawa, suggesting shared operators and attack infrastructure. It differentiates itself with AdFind-based Active Directory discovery and a blend of LOLBins, GPO-based deployment, and double-extortion techniques, with investigators noting ties to Hive/Nokoyawa and potential links to Quantum via overlapping beacons and infrastructure. Hashtags: #PlayRansomware #Nokoyawa #Hive #AdFind #CobaltStrike #Emotet #QuantumRansomware

Keypoints

  • Play ransomware closely mirrors Hive and Nokoyawa in flow and tooling, implying affiliation between the operators.
  • AdFind is used for Active Directory discovery, a behavior that helps distinguish Play from Hive.
  • Double-extortion is employed: data exfiltration occurs before encryption, often via WinRAR and WinSCP, with a PHP-based exfiltration receiver.
  • Initial access relies on valid accounts, exposed VPN/RDP access, and Fortinet FortiOS CVE exploitation (CVE-2018-13379 and CVE-2020-12812).
  • Delivery and persistence leverage GPOs, scheduled tasks, PsExec, and LOLBins (e.g., PowerShell, LSASS dumping).
  • Play expands laterally with Cobalt Strike SMB beacons, SystemBC proxies over TOR, and Empire/Mimikatz-based workflows; Credential dumping is prominent.

MITRE Techniques

  • [T1078] Valid Accounts – Play ransomware actors commonly gain initial access through valid accounts that have been reused across multiple platforms, have previously been exposed, or were obtained through illegal means. ‘Play’s ransomware actors commonly gain initial access through valid accounts that have been reused across multiple platforms, have previously been exposed, or were obtained through illegal means.’
  • [T1133] External Remote Services – Exposed VPN/RDP access is abused to establish a foothold. ‘Exposed RDP servers are also abused to establish a foothold.’
  • [T1190] Exploit Public-Facing Application – Fortinet FortiOS CVEs are exploited to gain entry. ‘CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal… CVE-2020-12812 is an improper-authentication vulnerability in SSL VPN in FortiOS…’
  • [T1053.005] Scheduled Task – Ransomware is deployed and run via scheduled tasks (and PsExec) across the AD environment. ‘The ransomware executable is dropped in the Domain Controller shared folders (NETLOGON or SYSVOL) and is run by a scheduled task/PsExec.’
  • [T1021.002] SMB/Windows Admin Shares – Cobalt Strike SMB beacon is used for lateral movement and file download/execution. ‘Cobalt Strike SMB beacon is used as a C&C beacon, a method of lateral movement, and a tool for downloading and executing files.’
  • [T1090] Proxy – SystemBC is used as a backdoor with TOR-based communication for backdooring mechanisms. ‘SystemBC, a SOCKS5 proxy bot that acts as a backdoor with the ability to communicate over TOR.’
  • [T1018] Remote System Discovery – Discovery includes AD queries for remote systems using ADFind, Nltest, Bloodhound, and enumeration of hostnames/shares/domains. ‘AD queries for remote systems have been performed by different tools, such as ADFind… Bloodhound.’
  • [T1003.001] Credential Dumping – Mimikatz is used to dump credentials and LSASS memory via Task Manager. ‘Mimikatz is used to dump credentials… Task Manager to dump the LSASS process from memory.’
  • [T1570] Lateral Movement – Lateral movement facilitated by tools like Cobalt Strike SMB beacon, SystemBC proxy, Empire, and Mimikatz-based domain escalation. ‘Lateral Movement’ techniques include: SMB beacon, TOR-enabled backdoor, Empire post-exploitation, and credential dumping to gain domain admin access.
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration is performed via WinSCP and WinRAR before encryption; exfiltrated data is received by a PHP web page. ‘WinSCP… WinRAR to compress the files… a web page developed in PHP that is used to receive the exfiltrated files.’

Indicators of Compromise

  • [Hash (SHA-256)] fc2b98c4f03a246f6564cc778c03f1f9057510efb578ed3e9d8e8b0e5516bd49 – Detection: Trojan.Win64.PRIVICMD.YXCHW; Description: PRIVICMD/NEKTO
  • [Hash (SHA-256)] c316627897a78558356662a6c64621ae25c3c3893f4b363a4b3f27086246038d – Detection: Backdoor.Win32.COBEACON.YXCH3; Description: Cobalt Strike
  • [Hash (SHA-256)] c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3 – Detection: PUA.Win32.AdFind.A; Description: AdFind
  • [Hash (SHA-256)] e1c75f863749a522b244bfa09fb694b0cc2ae0048b4ab72cb74fcf73d971777b – Detection: Trojan.BAT.ADFIND.YECGUT; Description: AdFind Command Lines
  • [Hash (SHA-256)] 094d1476331d6f693f1d546b53f1c1a42863e6cde014e2ed655f3cbe63e5ecde – Detection: HackTool.Win32.ToolPow.SM; Description: PowerTool
  • [Hash (SHA-256)] e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 – Detection: PUA.Win32.GMER.YABBI; Description: GMER
  • [Hash (SHA-256)] d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f – Detection: PUA.Win32.ProcHack.C; Description: Process Hacker
  • [Hash (SHA-256)] c88b284bac8cd639861c6f364808fac2594f0069208e756d2f66f943a23e3022 – Detection: Backdoor.Win32.SYSTEMBC.YXCFLZ; Description: Coroxy/SystemBC
  • [Hash (SHA-256)] f18bc899bcacd28aaa016d220ea8df4db540795e588f8887fe8ee9b697ef819f – Detection: Ransom.Win32.PLAYCRYPT.YECGUT; Description: Play ransomware
  • [Hash (SHA-256)] e641b622b1f180fe189e3f39b3466b16ca5040b5a1869e5d30c92cca5727d3f0 – Detection: Ransom.Win32.PLAYDE.A; Description: Play ransomware
  • [Hash (SHA-256)] 608e2b023dc8f7e02ae2000fc7dbfc24e47807d1e4264cbd6bb5839c81f91934 – Detection: Ransom.Win32.PLAYDE.YXCHJT; Description: Play ransomware
  • [Hash (SHA-256)] 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55 – Detection: Ransom.Win32.PLAYDE.YXCHJT; Description: Play ransomware
  • [Hash (SHA-256)] e4f32fe39ce7f9f293ccbfde30adfdc36caf7cfb6ccc396870527f45534b840b – Detection: Ransom.Win32.PLAYDE.YXCHJT; Description: Play ransomware
  • [Hash (SHA-256)] 8962de34e5d63228d5ab037c87262e5b13bb9c17e73e5db7d6be4212d66f1c22 – Detection: Ransom.Win32.PLAYDE.YXCHJT; Description: Play ransomware
  • [Hash (SHA-256)] 5573cbe13c0dbfd3d0e467b9907f3a89c1c133c774ada906ea256e228ae885d5 – Detection: Ransom.Win32.PLAYDE.YXCHJT; Description: Play ransomware
  • [Hash (SHA-256)] f6072ff57c1cfe74b88f521d70c524bcbbb60c561705e9febe033f51131be408 – Detection: Ransom.Win32.PLAYDE.YXCHJT; Description: Play ransomware
  • [Hash (SHA-256)] 7d14b98cdc1b898bd0d9be80398fc59ab560e8c44e0a9dedac8ad4ece3d450b0 – Detection: Ransom.Win32.PLAYDE.YXCHJT; Description: Play ransomware
  • [Hash (SHA-256)] dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087 – Detection: Ransom.Win32.PLAYDE.YXCHJT; Description: Play ransomware
  • [Hash (SHA-256)] f5c2391dbd7ebb28d36d7089ef04f1bd9d366a31e3902abed1755708207498c0 – Detection: Ransom.Win32.PLAYDE.YACHWT; Description: Play ransomware
  • [URL] hxxp://84.32.190[.]37:80/ahgffxvbghgfv – Description: Cobalt Strike download
  • [URL] newspraize[.]com – Description: Cobalt Strike C&C
  • [URL] realmacnow[.]com – Description: Cobalt Strike C&C
  • [IP] 172.67.176[.]244 – Description: Cobalt Strike C&C
  • [IP] 104.21.43[.]80 – Description: Cobalt Strike C&C
  • [URL] 67.205.182[.]129/u2/upload[.]php – Description: Exfiltration C&C Server

Read more: https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html