Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Play ransomware variant. Show all posts
Ransomwares
Andariel Cyber Attacks FortiOS Play ransomware Play ransomware variant ProxyNotShell ransomware attacks Ransomwares

Play Ransomware Threat Intensifies with State-Sponsored Links and Advanced Tactics

 

Play ransomware continues to be a formidable cybersecurity threat, with over 300 successful attacks reported globally since its first detection in 2022. Named for the “.PLAY” extension it appends to encrypted files, this ransomware has been linked to Andariel, a North Korean state-sponsored hacking group operating under the Reconnaissance General Bureau. 

This connection highlights the increasing involvement of state-backed actors in sophisticated cybercrime campaigns targeting both public and private sector organizations worldwide. Recent analysis by AhnLab sheds light on how Play ransomware gains access to its victims’ networks. The attackers exploit vulnerabilities in widely used software systems or misuse valid user accounts. 

Known flaws in Microsoft Exchange Server’s ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) and Fortinet’s FortiOS (CVE-2020-12812 and CVE-2018-13379) have been frequently abused by these attackers. After infiltrating a network, they use port scanning techniques to gather information about active systems and services, collect Active Directory data, and identify paths for privilege escalation. These escalated privileges allow the attackers to obtain administrator-level access, steal credentials, and ultimately gain control over the domain environment. 

One of the key challenges in detecting Play ransomware lies in its ability to blend malicious activities with legitimate operations. The attackers often use tools like Process Hacker to disable security products. Many of these tools are not inherently malicious and are commonly used for legitimate purposes, making it difficult for security systems to distinguish between normal and nefarious activities. This ability to evade detection underscores the sophistication of Play ransomware and its operators. 

The impact of a Play ransomware attack goes beyond encryption. Like many modern ransomware variants, Play uses double-extortion tactics, exfiltrating sensitive data before locking systems. This exfiltrated data is then leveraged to pressure victims into paying ransoms by threatening to leak the information on dark web forums. The combination of system disruption and the risk of public data exposure makes Play ransomware particularly damaging to its targets. To mitigate the risks posed by Play ransomware, cybersecurity experts and the Federal Bureau of Investigation (FBI) recommend implementing proactive defenses. 

Organizations should ensure that software, operating systems, and firmware are regularly updated to address vulnerabilities. Phishing-resistant multi-factor authentication (MFA) is crucial to reduce the risk of unauthorized access, while employee training on recognizing phishing attempts remains essential. Additionally, network segmentation can limit the attackers’ ability to move laterally, reducing the overall impact of an attack. 

Play ransomware illustrates the evolving complexity of cyber threats, particularly those linked to state-sponsored groups. Its reliance on exploiting known vulnerabilities, combined with its use of legitimate tools, highlights the critical need for organizations to adopt comprehensive cybersecurity measures. By prioritizing vulnerability management, user education, and proactive defenses, organizations can better protect themselves against the ongoing threat posed by Play ransomware and similar cyber campaigns.
Read more »
targeting VMware ESXi systems
Cyber Security cybersecurity threat ESXi environments Linux Security New Linux ransomware Play ransomware variant ransomware attacks ransomware protection targeting VMware ESXi systems

New Linux Play Ransomware Variant Targets VMware ESXi Systems

 

Attacks with a new Play ransomware variant for Linux have been deployed against VMware ESXi systems, most of which have been aimed at the U.S. and at organizations in the manufacturing, professional services, and construction sectors, according to The Hacker News.

Such a novel Play ransomware version was hosted on an IP address that also contained the WinSCP, PsExec, WinRAR, and NetScan tools, as well as the Coroxy backdoor previously leveraged by the ransomware operation, indicating similar functionality, an analysis from Trend Micro revealed. However, additional examination of the payload showed its utilization of a registered domain generation algorithm to bypass detection, a tactic similarly used by the Prolific Puma threat operation. 

"ESXi environments are high-value targets for ransomware attacks due to their critical role in business operations. The efficiency of encrypting numerous VMs simultaneously and the valuable data they hold further elevate their lucrativeness for cybercriminals," said researchers. Cybersecurity researchers have discovered a new Linux variant of a ransomware strain known as Play (aka Balloonfly and PlayCrypt) that's designed to target VMware ESXi environments.

"This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations," Trend Micro researchers said in a report published Friday.

Play, which arrived on the scene in June 2022, is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment in exchange for a decryption key. According to estimates released by Australia and the U.S., as many as 300 organizations have been victimized by the ransomware group as of October 2023.

Statistics shared by Trend Micro for the first seven months of 2024 show that the U.S. is the country with the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands. Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the top industries affected by the Play ransomware during the time period.

The cybersecurity firm's analysis of a Linux variant of Play comes from a RAR archive file hosted on an IP address (108.61.142[.]190), which also contains other tools identified as utilized in previous attacks such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.

"Though no actual infection has been observed, the command-and-control (C&C) server hosts the common tools that Play ransomware currently uses in its attacks," it said. "This could denote that the Linux variant might employ similar tactics, techniques, and procedures (TTPs)."

The ransomware sample, upon execution, ensures that it's running in an ESXi environment before proceeding to encrypt virtual machine (VM) files, including VM disk, configuration, and metadata files, and appending them with the extension ".PLAY." A ransom note is then dropped in the root directory.

Further analysis has determined that the Play ransomware group is likely using the services and infrastructure peddled by Prolific Puma, which offers an illicit link-shortening service to other cybercriminals to help them evade detection while distributing malware. Specifically, it employs what's called a registered domain generation algorithm (RDGA)
Read more »
Subscribe to: Posts (Atom)