There was an advisory published late on Monday about the Play ransomware gang that was put out by the Federal Bureau of Investigation (FBI) together with the US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre.
The Play gang is thought to have debuted last year and has launched multiple attacks on targets since then.
It was first spotted being deployed against South American government agencies around the middle of last year but pivoted months later to target entities in the US and Europe.
The FBI and other cyber security agencies are warning about the rise of the Play ransomware double-extortion group which has now attacked hundreds of organizations.
Since June 2022, Play ransomware - also known as Playcrypt - has hit a wide range of businesses and critical infrastructure organizations in North America, South America, and Europe, the cyber security advisory said.
Unlike typical ransomware operations, the Play ransomware affiliates use email communication for negotiations, rather than providing Tor negotiations page links in ransom notes left on compromised systems.
However, the gang still employs strategies commonly associated with ransomware, such as stealing sensitive documents from compromised systems to pressure victims into paying ransom demands under the threat of leaking the stolen data online.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) issued a joint advisory to disseminate IOCs and TTPs discovered as recently as October 2023 by the Play ransomware group.
According to the joint advisory, these organizations are urged to cover their vulnerabilities that have been previously exploited to diminish the likelihood of falling victim to Play ransomware attacks. A special focus should be placed on the implementation of multifactor authentication for webmail, VPN, and accounts accessing critical systems, and the advisory also discusses the importance of updating and patching regular software, along with routine vulnerability assessments, as recommended.
It is recommended that organizations follow security best practices to ensure that their endpoints are secure. A few of the steps include keeping all software and hardware up-to-date and making sure that all urgent security patches are applied as soon as possible, as these patches usually address known and abused security vulnerabilities. Companies should also be encouraged to implement multi-factor authentication (MFA) wherever possible to keep their passwords strong and fresh.
An example of a high-profile victim of a ransomware attack would be the City of Oakland in California, Arnold Clark, Rackspace cloud computing company, and the Belgian city of Antwerp in Belgium. A custom VSS Copying Tool is also used by the Play Gang to evict files from shadow volume copies, even when other applications are currently using them.
The joint advisory issued by CISA and other agencies indicates that the Playgroup is gaining access to the networks of organizations through the abuse of legitimate accounts and the exploitation of public-facing applications through known security flaws in FortiOS [CVE-2018-13379 and CVE-2020-12812] and Microsoft Exchange, including ProxyNotShell, a remote code execution (RCE) vulnerability, as well as CVE-2022-41040, which is also tracked as CVE-2022-40802.
In their report, the authors noted that many ransomware actors were observed to use services and resources that could be accessed externally, such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN), to gain access.
In addition to using tools like AdFind to run AD queries and Grixba to steal information from the network, the bad actors also use tools like the Grixba infostealer to scan for antivirus software and grab data from the network once they have accessed the computer.
Also, they have used PowerShell scripts to target Microsoft Defender, and they have used GMER, IOBit, and PowerTool to disable these software and remote log files.
In most cases, ransomware actors obtain their access via external-facing services such as Virtual Private Networks (VPNs) and Remote Desktop Protocols (RDPs).
The actors in play ransomware use tools such as AdFind, an information-stealing tool, to enumerate network information and scan for anti-virus software, and Grixba, an information stealer, to enumerate network information and scan for anti-virus software, to execute active directory queries. As well as removing log files and disabling antivirus software, actors use tools such as GMER, IOBit, and PowerTool.