To establish a foothold into their targeted system, they also use exposed remote desktop protocol (RDP) servers. The actors behind Play ransomware usually achieve initial access by way of valid accounts – including virtual private network (VPN) accounts, not just domain and local accounts – that have been reused across multiple platforms, previously exposed, or obtained by illegal means.Despite there being no spam campaigns that are currently using the Emotet trojan, over the course of our investigation we have detected select cases in which Emotet was used to deploy Cobalt Strike beacons bearing the same 206546002 watermark that were found in the beacons involved in Play's ransomware attacks. There are also some notable similarities between Play and Quantum ransomware, an offshoot of the Conti ransomware group, inasmuch as the two ransomware groups partly share the same infrastructure: Play's attacks use Cobalt Strike beacons that have the same watermark, 206546002, as with those that had been dropped by Emotet and SVCReady botnets in Quantum ransomware attacks. We intend on validating the related URLs from Play ransomware infections in terms of watermarking in order to confirm any relation to past Hive infections, as was done previously with Nokoyawa infections. We have also found evidence that suggests a possible link between Play ransomware and various ransomware families: It shares some tactics and tools with Hive and Nokoyawa ransomware, for example, that point to a high likelihood of affiliation between these ransomware families. More recently, it’s also begun to use new tools like Grixba, a custom network scanner and infostealer, and the open-source VSS management tool AlphaVSS. We have observed the Play ransomware group augmenting their toolbox with a number of new tools and exploits, including the vulnerabilities ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution. What organizations need to know about Play ![]() This suggests that the ransomware group continues to refine its playbook of tactics, techniques, and procedures (TTPs), intending to remain active on the scene for the foreseeable future. Over the course of our investigation, the threat actors running Play ransomware have added more tools and abused new vulnerabilities to their growing arsenal. In June 2022, victims of Play ransomware initially surfaced on Bleeping Computer forums, and a month later, the “No-logs No breach” website provided further details on this ransomware. ![]() Similarly, its ransom note contains the single word “PLAY”, along with the ransomware group’s email address. In July 2022, our researchers looked into ransomware cases in Latin America that targeted government entities and were initially attributed to a newcomer called Play ransomware, which derives its name based on its behavior: it adds the extension “.play” after encrypting files. ![]() View infographic of "Ransomware Spotlight: Play" We take a deep dive into its operations and offer ways in which organizations can shore up their defenses against this emerging threat. Play is shaping up to be a player on the rise within the ransomware landscape, with its operators likely to continue using the ransomware in future.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |