Threat Research

“REPLAY: Analyzing Anti-Analysis Techniques in Play Ransomware”

Netskope

Play ransomware, also known as PlayCrypt, emerged in June 2022 and targets healthcare and telecommunications across regions including Latin America, Europe, and North America. It gains access via compromised accounts or vulnerable remote services, relies on a broad set of post-exploitation tools, and uses anti-analysis techniques such as ROP, SEH, and string obfuscation to hinder reverse engineering and detection. #PlayRansomware #PlayCrypt #ROP #SEH #Mimikatz #BloodHound #PsExec #AdFind #NetskopeThreatLabs

Keypoints

  • Play ransomware first appeared in June 2022.
  • Targets healthcare and telecommunications sectors.
  • Gains access via compromised valid accounts or by exploiting vulnerabilities.
  • Uses tools such as Bloodhound, PsExec, Mimikatz, and AdFind.
  • Employs anti-analysis techniques to hinder detection, including ROP, SEH abuse, and string obfuscation (and junk code).
  • Netskope Threat Labs developed scripts to assist in analyzing the ransomware.
  • The evolving techniques aim to make attacks more destructive.

MITRE Techniques

  • [T1003] Credential Dumping – Uses tools like Mimikatz to extract credentials from memory. ‘Utilizes tools like Mimikatz to extract credentials from memory.’
  • [T1210] Exploitation of Remote Services – Exploits vulnerabilities in remote services to gain access. ‘Exploits vulnerabilities in remote services to gain access.’
  • [T1071] Command and Control – Uses various protocols for communication with compromised systems. ‘Uses various protocols for communication with compromised systems.’
  • [T1027] Obfuscated Files or Information – Employs string obfuscation to hide malicious code. ‘Employs string obfuscation to hide malicious code.’
  • [T1055] Process Injection – Injects malicious code into legitimate processes to evade detection. ‘Injects malicious code into legitimate processes to evade detection.’
  • [T1203] Defense Evasion – Uses anti-analysis techniques to evade detection by security tools. ‘Uses anti-analysis techniques to evade detection by security tools.’
  • [T1574] Hijack Execution Flow – Return-oriented programming (ROP) redirects execution flow. ‘Return-oriented programming (ROP) technique in its payload… redirects the execution flow.’
  • [T1574] Hijack Execution Flow – Structured Exception Handling (SEH) abuse to hijack execution flow. ‘abusing a Windows mechanism called Structured Exception Handling… inserting its own exception handler into the exception list and forcing a second exception.’
  • [T1027] Obfuscated Files or Information – API hashing to resolve Windows API functions at runtime. ‘The malware uses the well-known API Hashing technique to resolve the Windows API functions it uses at runtime. The algorithm used is xxHash32…’
  • [T1027] Obfuscated Files or Information – Junk code insertion to slow analysis. ‘junk/garbage code insertion…’

Indicators of Compromise

  • [URL] Detections and references – blog post analysis and IOCs: https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/, and repository with IOCs: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Malware/Play%20Ransomware
  • [Signature] Detections – Win32.Ransomware.Playde; Gen.Malware.Detect.By.StHeur; Gen:Heur.Mint.Zard.55; Gen.Detect.By.NSCloudSandbox.tr

Read more: https://www.netskope.com/blog/replay-revisiting-play-ransomware-anti-analysis-techniques