The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Australian Cyber Security Centre (ACSC) released an updated advisory detailing the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) related to the Play ransomware group, active since 2022 and responsible for widespread attacks. The advisory includes new behaviors such as the use of custom tools like Grixba and AlphaVSS, double extortion strategies, and overlaps with other ransomware groups, supported by a detailed attack graph to aid defenders. #PlayRansomware #Grixba #AlphaVSS #CobaltStrike
Keypoints
- The Play ransomware group, active since June 2022, targets diverse entities across multiple continents and employs a closed affiliate model emphasizing secrecy.
- Recent updates to Playâs TTPs include exploitation of ProxyNotShell, OWASSRF vulnerabilities, and use of custom tools like Grixba (information stealer) and AlphaVSS (VSS utility).
- Play uses a double extortion tactic with data exfiltration preceding file encryption and threatens victims via email and sometimes phone calls to enforce ransom compliance.
- The group shares technical infrastructure with Quantum ransomware and exhibits overlaps with Hive and Nokoyawa ransomware, including the use of Cobalt Strike beacons with a known watermark ID.
- A detailed attack graph published by AttackIQ simulates Play ransomware behaviors across stages including execution, discovery, credential access, privilege escalation, defense evasion, exfiltration, and impact.
- Key MITRE ATT&CK techniques such as Scheduled Task abuse, LSASS memory dumping, and disabling Microsoft Defender are highlighted, with detection and mitigation guidance provided.
- Organizations are advised to prioritize defense strategies around scheduled task detection and file encryption prevention to mitigate Play ransomware risks effectively.
MITRE Techniques
- [T1105] Ingress Tool Transfer â Used to download and save malicious tools like Grixba, NetScan, Mimikatz, WinPEAS, Cobalt Strike, SystemBC, Play ransomware, and AlphaVSS to test endpoint defenses. (âdownloads to memory and saves to diskâ)
- [T1497] Virtualization/Sandbox Evasion â Executes IsDebuggerPresent Windows API to detect debugger presence and evade analysis. (âexecute the IsDebuggerPresent Windows APIâ)
- [T1012] Query Registry â Queries MachineGUID and current user Windows properties from registry keys for system identification. (âqueries MachineGUID and Windows properties keysâ)
- [T1033] System Owner/User Discovery â Retrieves username of the current thread via GetUserNameA API. (âexecutes GetUserNameA Windows API callâ)
- [T1057] Process Discovery â Lists running processes using Windows Management Instrumentation commands. (âexecutes Process WMI commandâ)
- [T1007] System Service Discovery â Gathers information about configured services using Windows API such as EnumServiceStatus and QueryServiceStatusEx. (âexecutes EnumServiceStatus, QueryServiceStatusEx APIsâ)
- [T1018] Remote System Discovery â Uses nltest and AdFind utilities to enumerate domain controllers, trusted domains, and Active Directory details. (âexecutes nltest and AdFind commandsâ)
- [T1482] Domain Trust Discovery â Calls nltest with /trusteddomains to list Active Directory trusted domains. (‘calls nltest with /trusteddomainsâ)
- [T1003] OS Credential Dumping â Employs obfuscated Mimikatz to dump credentials and hashes; dumps LSASS memory to a minidump file for further extraction. (âuses obfuscated Mimikatz and dumps LSASS processâ)
- [T1053.005] Scheduled Task/Job: Scheduled Task â Creates scheduled tasks via schtasks utility to execute ransomware payloads. (âcreation of scheduled task using schtasksâ)
- [T1021.001] Remote Services: Remote Desktop Protocol â Attempts lateral movement through RDP connections. (âremotely connects via RDPâ)
- [T1562.001] Impair Defenses: Disable or Modify Tools â Uses PowerShellâs Set-MpPreference to disable Microsoft Defender monitoring features. (âmodifies DisableRealtimeMonitoring and DisableBehaviorMonitoringâ)
- [T1070.001] Indicator Removal: Clear Windows Event Logs â Clears event logs via wevtutil to hinder forensic analysis. (âexecutes wevtutil to delete logsâ)
- [T1048.002] Exfiltration Over Asymmetric Encrypted Non-C2 Protocol â Exfiltrates data over Secure File Transfer Protocol (SFTP). (âexfiltrates collected information over SFTPâ)
- [T1083] File and Directory Discovery â Enumerates the file system using FindFirstFileW and FindNextFileW Windows API calls before encryption. (âexecutes FindFirstFileW and FindNextFileW to enumerate filesâ)
- [T1486] Data Encrypted for Impact â Encrypts targeted files in place using AES and RSA encryption algorithms. (âencrypting files using AES and RSAâ)
Indicators of Compromise
- [Email Addresses] Play ransomware victim contact methods â unique @gmx.de and @web.de addresses used for ransom negotiations.
- [File Hashes] Known malicious payloads including Grixba stealer samples, NetScan, Mimikatz, WinPEAS, Cobalt Strike, SystemBC backdoor, Play ransomware binaries, and AlphaVSS tool â multiple hashes reported.
- [Commands/Tools] Use of schtasks for scheduled tasks, nltest and AdFind for Active Directory enumeration, and PowerShell commands to disable Microsoft Defender and clear event logs.
Read more: https://www.attackiq.com/2025/06/12/updated-response-to-cisa-advisory-aa23-352a/