Emerging Threat Play Ransomware Targets Critical Infrastructure

Threat Type: Ransomware
Exploited Vulnerabilities: Microsoft Exchange ProxyNotShell (CVE-2022-41040, CVE-2022-41082), FortiOS vulnerabilities (CVE-2018-13379, CVE-2020-12812), Remote Desktop Protocol (RDP)
Malware Used: Play ransomware encryptor, custom VSS copying tool, Grixba information stealer
Threat Score: Critical (9/10) — Enhanced threat level due to state-backed collaborations and increased targeting of high-value sectors
Last Threat Observation: November 1, 2024 (reported by Palo Alto Networks Unit 42 and CISA)

Overview

As of November 1, 2024, the Play ransomware group continues to pose severe threats with evolving tactics, notable collaborations, and an expanding attack scope. Recent updates reveal a state-backed collaboration and high-profile industrial targeting, underlining the group's sophistication and widening impact.

Recent Developments

• Collaboration with North Korean Hackers: In October 2024, Palo Alto Networks' Unit 42 reported that Play ransomware had partnered with the North Korean state-sponsored group Andariel (a.k.a. Jumpy Pisces), marking a significant escalation. The collaboration enabled unauthorized network access and lateral movement via tools like Sliver and DTrack, with the eventual deployment of Play ransomware​CISA​CISA.
• Attack on Microchip Technology: In August 2024, Play ransomware claimed responsibility for targeting Microchip Technology, a leading U.S. semiconductor manufacturer. The attackers exfiltrated confidential data, including sensitive employee and financial information, which Microchip has acknowledged, now working with law enforcement to mitigate​Cyber Security Australia​Cisco Duo.

Key Details

• Delivery Method: Exploitation of unpatched vulnerabilities and compromised remote services.
• Target: Critical infrastructure, municipal systems, semiconductor industry, healthcare, and cloud service providers.
• Functions:
  • Data Exfiltration and Encryption: Sensitive data is exfiltrated before encryption, applying a .play extension.
  • Credential Dumping: Mimikatz and other tools are used for credential harvesting.
  • Lateral Movement: Tools like Cobalt Strike and PsExec support lateral movement and file execution.
  • System Obfuscation: Disables antivirus and removes logs using tools like GMER and PowerTool.
• Obfuscation Techniques: Advanced evasion techniques, including return-oriented programming (ROP) and anti-disassembly tricks, are used to bypass defenses.

Attack Vectors

Play ransomware infiltrates systems via vulnerabilities in unpatched applications and RDP services. After gaining entry, attackers use tools such as AdFind and Grixba for network reconnaissance, disabling defenses, and covering tracks. Tools like Cobalt Strike and PsExec facilitate lateral movement, while compressed data files are transferred using WinSCP. Files are then encrypted with .play extension, accompanied by a ransom note instructing victims to contact the group via specific email addresses.

Known Indicators of Compromise (IoCs)

• File Extensions: Encrypted files often carry the .play extension.
• Ransom Note: Typically named ReadMe.txt and located in the root directory C:.
• Email Addresses: Ransom notes often include contact emails ending in @gmx.de.
• Commonly Used Tools and Techniques:
  • AdFind: Active Directory enumeration
  • Cobalt Strike: Command and control
  • PsExec: Lateral movement
  • Mimikatz: Credential harvesting
  • WinRAR: Compression of files into .RAR format
  • WinSCP: Data transfer to actor-controlled accounts

Additional IoCs

• IPv4 Address: hxxp://172[.]96[.]137[.]224
• Domains: hxxp://americajobmail[.]site
• File Hashes - MD5:
  • 76cb5d1e6c2b6895428115705d9ac765
  • 879fa942f9f097b74fd6f7dabcf1745a
  • e12f93d462a622f32a4ff1e646549c42
• File Hashes - SHA1:
  • 540853beffb0ba9b26cf305bcf92fad82599eb3c
  • 6624c7b8faac176d1c1cb10b03e7ee58a4853f91
  • 6e95d94d5d8ed2275559256c5fb5fc6d01da6b46
• File Hashes - SHA256:
  • 243ad5458706e5c836f8eb88a9f67e136f1fa76ed44868217dc995a8c7d07bf7
  • 2b254ae6690c9e37fa7d249e8578ee27393e47db1913816b4982867584be713a
  • 99e2ebf8cec6a0cea57e591ac1ca56dd5d505c2c3fc8f4c3da8fb8ad49f1527e
  • b1ac26dac205973cd1288a38265835eda9b9ff2edc6bd7c6cb9dee4891c9b449
  • b4f5d37732272f18206242ccd00f6cad9fbfc12fae9173bb69f53fffeba5553f
  • f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5

Mitigation and Prevention

1. Stay Informed: Regularly consult trusted cybersecurity sources, such as CISA and AlienVault OTX, for updates on Play ransomware activity.
2. Implement Robust Security Measures: Ensure all systems are patched, enforce multi-factor authentication, and conduct security assessments regularly.
3. Monitor for IoCs: Deploy detection mechanisms for the above IoCs and watch for suspicious network behavior.
4. Regular Backups and Segmentation: Implement offline backups and network segmentation to minimize ransomware spread.
5. Employee Awareness: Train staff on ransomware tactics and encourage vigilance against phishing and social engineering.

By implementing these measures, organizations can improve their defenses against the evolving threat posed by Play ransomware.

Sources:

• CISA: "#StopRansomware: Play Ransomware,"CISA
• BleepingComputer: "FBI: Play ransomware breached 300 victims, including critical orgs,"Bleeping Computer
• Decipher by Duo: "U.S., Australian Government Agencies Warn of Play Ransomware Attacks,"Duo
• SecurityWeek: "Play Ransomware Group Used New Exploitation Method in Rackspace Attack,"Security Week
• AlienVault OTX: "Play Ransomware Attacks Utilize New Custom Tools,"AlienVault