Play Ransomware: The Shadow Syndicate

Overview:

• Sophisticated Threat Actor: Play is a highly capable ransomware group demonstrating advanced technical skills and operational sophistication.
• Diverse Targets: Their victims range from small and medium-sized businesses (SMBs) to large organizations, including government agencies and major corporations across multiple countries.
• Multi-Stage Attacks: Their attacks involve multiple stages, from initial access (often exploiting vulnerabilities or using exposed RDP) to lateral movement within the network, data exfiltration, and finally, encryption and ransom demands.
• Double Extortion: Play employs double extortion, threatening to release stolen data publicly if the ransom is not paid, maximizing their leverage.
• .play File Extension: Encrypted files are typically marked with the “.play” extension.
• Potential Links to Other Groups: Evidence suggests possible connections to other ransomware groups (Hive, Nokoyawa, Quantum), based on shared infrastructure and tactics, although definitive proof is lacking.
• Global Reach: Victims are located across various countries, including the United States, the United Kingdom, Switzerland, and Argentina, highlighting their international operational capabilities.
• Unclear Motivations: The precise motivations behind Play’s attacks remain unclear.
• Significant Data Breaches: Their attacks have resulted in substantial data breaches, compromising sensitive information such as personal data, financial records, and intellectual property.

Known Aliases:

Play, Playcrypt

Country of Origin:

Not known.

High-Profile/Notable Attacks/Victims:

• Argentine Judiciary of Córdoba (2022): A major attack was carried out on the Argentine judiciary in Córdoba. This attack involved the typical “.play” file extension encryption and a ransom note.
• Judiciary of Cordoba (Late 2022): A cyberattack targeted the city of Cordoba’s Judiciary systems, encrypting files with the “.play” extension and leaving a ransom note.
• Dallas County: Play launched an attack on Dallas County, stealing records of over 200,000 individuals. Stolen data included SSNs, state identification numbers, taxpayer information, medical information, and health insurance details.
• Swiss Government (May 2023): Play breached over 1.3 million confidential records from private government servers, with 65,000 directly related to the federal administration.
• Arnold Clark: This large European car retailer was targeted, resulting in the theft of customer ID information, banking details, and vehicle registration records. The company engaged in negotiations with Play.
• CH-Media (2023): An attack on the Neue Zürcher Zeitung newspaper led to the compromise of its service provider, CH-Media, resulting in the exposure of addresses of over 400,000 Swiss citizens living abroad.
• Valais Community (2023): A community in Valais, Switzerland, was also victimized in March 2023.
• Federal Administration of Switzerland (May/June 2023): A massive attack on an IT service provider of the Swiss Federal Administration resulted in the theft of confidential data, including financial and tax information, affecting various state-owned companies.
• Rackspace (2023): The Play ransomware group was confirmed to be behind a cyberattack on Rackspace.

Common Methods of Infiltration:

The Play ransomware group uses a multi-pronged approach to infiltration:

• Exploitation of known vulnerabilities: They actively exploit vulnerabilities in software like FortiOS and Microsoft Exchange.
• Credential theft: They steal valid user credentials to gain initial access.
• Remote access exploitation: They utilize exposed Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services.
• Malware/Ransomware Strains: The primary ransomware used is Play ransomware (also known as Playcrypt). They also utilize supporting malware, including the SystemBC malware and a custom data-gathering tool. It also uses tools like Grixba (an information stealer).

MITRE ATT&CK Tactics and Techniques:

The Play ransomware group utilizes a variety of MITRE ATT&CK tactics and techniques, including:

• Initial Access:
  • T1078: Valid Accounts (abuse of compromised credentials)
  • T1190: Exploit Public-Facing Application (exploiting vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]))
  • T1133: External Remote Services (RDP and VPN)
• Discovery:
  • T1016: System Network Configuration Discovery (using tools like AdFind and Grixba)
  • T1518.001: Software Discovery: Security Software Discovery (scanning for anti-virus software)
• Defense Evasion:
  • T1562.001: Impair Defenses: Disable or Modify Tools (disabling anti-virus software using GMER, IOBit, and PowerTool)
  • T1070.001: Indicator Removal: Clear Windows Event Logs (removing log files)
• Credential Access:
  • T1552: Unsecured Credentials (searching for unsecured credentials)
  • T1003: OS Credential Dumping (using Mimikatz)
• Lateral Movement:
  • T1570: Lateral Tool Transfer (distributing executables via Group Policy Objects)
• Command and Control:
  • T1484.001: Domain Policy Modification: Group Policy Modification (using Cobalt Strike and SystemBC)
• Collection:
  • T1560.001: Archive Collected Data: Archive via Utility (using WinRAR)
• Exfiltration:
  • T1048: Exfiltration Over Alternative Protocol (using WinSCP)
• Impact:
  • T1486: Data Encrypted for Impact (using AES-RSA hybrid encryption)
  • T1657: Data Encrypted for Impact (double extortion model)