Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label PlayCrypt. Show all posts
Ransomwares
Cyber Security Data Exfiltration Double extortion Encrypted Files Play ransomware PlayCrypt Ransomware attack Ransomwares

Play Ransomware: A Rising Global Cybersecurity Threat

 


Play ransomware, also known as Balloonfly or PlayCrypt, has become a significant cybersecurity threat since its emergence in June 2022. Responsible for over 300 global attacks, this ransomware employs a double extortion model — stealing sensitive data before encrypting files and appending them with the ".PLAY" extension. 

Victims are pressured to pay ransoms to recover their data and prevent its public release, making Play ransomware particularly dangerous for organizations worldwide. 

Recent investigations have revealed possible connections between Play ransomware and the North Korean-linked Andariel group. Research by cybersecurity firm AhnLab suggests that Andariel utilizes malware like Sliver and DTrack for reconnaissance and data theft prior to deploying ransomware attacks. The group's history with advanced ransomware strains such as SHATTEREDGLASS and Maui highlights the increasing sophistication of Play ransomware operations. Exploitation of Security Vulnerabilities Play ransomware exploits vulnerabilities in widely used systems to gain unauthorized access. Notable targets include:
  • ProxyNotShell (CVE-2022-41040, CVE-2022-41082): Flaws in Microsoft Exchange Server exploited for initial network infiltration.
  • FortiOS Vulnerabilities (CVE-2020-12812, CVE-2018-13379): Security gaps in Fortinet products leveraged for unauthorized access.
By exploiting these vulnerabilities and using compromised credentials, attackers can bypass detection and establish control over targeted networks. 
  
Play Ransomware Attack Lifecycle 
 
Play ransomware operators follow a structured, multi-phase attack methodology:
  • Reconnaissance: Tools like NetScan and AdFind are used to map networks and gather critical system information.
  • Privilege Escalation: Attackers employ scripts such as WinPEAS to exploit vulnerabilities and obtain administrative privileges.
  • Credential Theft: Tools like Mimikatz extract sensitive login information, enabling deeper network penetration.
  • Persistence and Lateral Movement: Remote access tools like AnyDesk and proxy utilities like Plink are used to maintain control and spread malware. Additional tools, such as Cobalt Strike and PsExec, facilitate lateral movement across networks.
  • Defense Evasion: Security programs are disabled using tools like Process Hacker to avoid detection.
  • Data Exfiltration: Files are compressed with WinRAR and transferred using WinSCP before encryption begins.
  • File Encryption and Ransom Demand: Files are encrypted and appended with the ".PLAY" extension. Victims receive a ransom note titled "ReadMe.txt", providing negotiation instructions and a Tor link for secure communication.
Mitigation Strategies Against Play Ransomware 
 
Organizations can reduce the risk of Play ransomware attacks by adopting proactive cybersecurity measures, including:
  • Patch Management: Regularly updating and patching known system vulnerabilities.
  • Advanced Security Protocols: Implementing robust endpoint detection and response (EDR) solutions.
  • Access Control: Strengthening authentication methods and restricting privileged access.
  • Employee Awareness: Conducting cybersecurity training to recognize phishing and social engineering attacks.
  • Data Backup: Maintaining secure, offline backups to enable data recovery without paying ransom demands.
Play ransomware exemplifies the growing complexity and impact of modern cyber threats. Its sophisticated attack methods, exploitation of known vulnerabilities, and suspected collaboration with nation-state actors make it a serious global concern. Proactive cybersecurity strategies and heightened vigilance are essential to protect organizations from this evolving threat.
Read more »
ransomware attacks
Cyberattacks Cybersecurity malware Online Services PlayCrypt ransomware attacks

Attack on Oakland City attributed to Play Ransomware

 


Oakland recently became the victim of a ransomware attack that disrupted the city's services and caused a state of emergency to be declared by the city. Cyberattacks are a real-world problem with real-world consequences and the recent attack on Oakland is a demonstration of the same. 

As shared on Twitter by cybersecurity analyst Dominic Alvieri, a security researcher, it appears that an attack on a cryptosystem was the work of the Play Ransomware gang. 

The Play Ransomware operation, also known as PlayCrypt, was launched in June 2022 and has been in operation for some time. The software not only adds the .play extension to the encrypted files but also leaves a note explaining how to contact the developers via email. 

As one of the most populous cities in the San Francisco Bay Area, Oakland has a population of over 440,000 people. It is located on the east side of the county. There is a great deal of economic and trade activity happening in this city, which is also the regional commercial center. 

The city’s authorities informed the public that it had been targeted by a ransomware attack on February 10, 2023. It impacted all network systems except 911 dispatch, fire and emergency services, and city financial systems. 

On February 14, 2023, the City of Oakland issued a local state of emergency to expedite restoring the impacted systems. This was done by bringing all its services back online as soon as possible. All business taxation obligations received a 45-day extension, as the city could not facilitate online payments. Parking citation services were also impacted by a lack of calls or payments. 

By February 20, 2023, IT specialists helped restore access to public computers, scanning, printing, library services, and wireless internet connectivity throughout the city’s facilities. However, the city’s non-emergency phone services (OAK311) and business tax licenses remained unavailable, while the online permit center returned to partial service.

The latest update on the City of Oakland website came on February 28, 2023, two weeks after the ransomware attack. The service status remains mostly unchanged. 

Play Claims Responsibility for the Attack 

The Play ransomware gang has now claimed responsibility for the attack on Oakland, listing them as victims on its extortion site on March 1, 2023. This was first spotted by security researcher Dominic Alvieri. 

Threat actors claim to have stolen documents containing private, confidential data, financial and government papers, identity documents, passports, personal employee data, and even information allegedly proving human rights violations. 

These documents were allegedly stolen during hackers' intrusion into Oakland City networks. They are now used as leverage to get the city’s administration to meet their demands and pay the ransom. 

As the name implies, Play Ransomware targets diverse sectors and regions, including economic, manufacturing, technological, real estate, transportation, education, healthcare, government, and a whole lot more. 

There are different rates for ransom demands based on the importance and size of the victim organization. Some victims have recovered their data by paying millions or thousands of dollars depending on the extent of the loss. 

Oakland has had 72 hours to respond to the threat actors' request to extort it, so they have threatened to publish the above documents by the end of tomorrow. No status updates are mentioned on the City of Oakland's portal that mentions data exfiltration, so the city's authorities have not yet confirmed that data has been stolen based on the updates the city has published on the portal.

Several companies, including Antwerp, Belgian City of Antwerp, H-Hotels, Rackspace, Arnold Clark, and A10 Networks, have been hit by this ransomware operation since then.

On the open market, there have been reports that the ransomware gang Play has been suspected of participating in the attack on Oakland. The Play gang is allegedly responsible for the Oakland attack. The website that they use for an extortion attack on March 1, 2023, lists them as one of the victims of the attack. Initially, Dominic Alvieri, a security researcher at the University of Illinois, became aware of this issue, after it was raised by another researcher. 

Threat actors have stolen sensitive personal information from businesses. Documents such as financial records, government documents, identity documents, passports, information concerning personnel, as well as evidence indicating that individuals have committed human rights violations, are some of the types of records that belong to this category. 

According to reports, some of these documents were stolen by cybercriminals during the intrusions into Oakland City's network. Now, those who wish to exploit the city administration for profit are using them to obtain extortion money through extortion to meet their demands and to initiate the payment of the ransom. 

The Play Ransomware ransomware is a powerful piece of malware that targets victims across a variety of sectors and regions, so it is also highly suited to targeting victims from many different sectors, as well as industries and areas, such as manufacturing, transportation, education, healthcare, government, and much more. The amount of ransom that is demanded on behalf of the victim organization depends on the size and importance of the organization.  

There are times when victims will be required to pay thousands or even millions of dollars to recover their lost data, so they may have to pay these fees as well.   The threat actors had given Oakland approximately 72 hours to comply with the extortion attempt, due to the threat that they would publish the above documents tomorrow. 

According to a post on the City of Oakland's portal, no mention has been made of data exfiltration at the time of this writing, nor have there been any updates posted regarding it. There are, therefore, no confirmations that the information has been stolen by the authorities in the city. Several organizations have been victimized by ransomware attacks recently, including H-Hotels, Rackspace, Arnold Clark, and A10 Networks, in addition to the city of Antwerp, Belgium.   
Read more »
Subscribe to: Posts (Atom)