Rewterz Threat Alert – 300 Organizations Worldwide Targeted by Play Ransomware Using Double-Extortion – Active IOCs

Severity

High

Analysis Summary

According to the latest joint advisory by cybersecurity researchers of Australia and the U.S., the cybercriminals behind the Play ransomware are said to have impacted about 300 organizations as of October 2023. The ransomware operators employ a double-extortion technique, which encrypts systems after exfiltrating sensitive data.

The adversary has affected multiple business entities and critical infrastructure in North America, Europe, South America, and Australia. Play (aka PlayCrypt and Balloonfly) was first discovered in 2022 when it exploited vulnerabilities in Microsoft Exchange servers (CVE-2022-41040 and CVE-2022-41082) and Fortinet devices (CVE-2018-13379 and CVE-2020-12812) to infiltrate organizations and deploy malware to encrypt files.

Recently, there has been a surge in ransomware gangs exploiting vulnerabilities instead of using phishing lures for their initial access vectors. Play ransomware is offered to other threat actors as a ransomware-as-a-service, and most attacks carried out by the group are by using publicly available tools like AdFind to run Active Directory queries, PowerTool to disable antivirus software, GMER, IOBit, and Grixba to enumerate network information and collect backup software and installed remote administration tools information on a system.

“Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email,” the security researchers said in the advisory.

The attackers have been observed moving laterally on the compromised network for performing exfiltration and encryption using SystemBC, Cobalt Strike, and Mimikatz for post-exploitation purposes. The statistics show that Play has claimed almost 40 victims in November alone. The alert comes a few days after the U.S. government agencies updated a bulletin about the Karakurt group, known to orchestrate attacks to encrypt data and extortion after gaining initial access to the targeted networks by buying stolen login credentials, phishing, initial access brokers, and abusing publicly known vulnerabilities.

The development comes due to the speculations of cybersecurity experts that the BlackCat ransomware might have been targeted by law enforcement operations after its online leak portals on the dark web went offline for five days, yet the group claimed that the outage was due to hardware failure. The ransomware landscape keeps evolving and adapting to new security technology despite the pressure from law enforcement. This is further evident by the collaboration of ransomware gangs like BianLian, Mario, and White Rabbit to perform a joint extortion campaign and attack financial services.

Impact

• Sensitive Information Theft
• File Encryption
• Financial Loss

Indicators of Compromise

MD5

• 09f341874f72a5cfcedbca707bfd1b3b
• 57bcb8cfad510109f7ddedf045e86a70
• 513c17ab6d8ec79ea6c5e196da67722c
• 4412f230da1a3954d5065395b512ff49
• 8fcb6fb21b4326466378991e42ce9865

SHA-256

• 453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb
• 47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57
• 75404543de25513b376f097ceb383e8efb9c9b95da8945fd4aa37c7b2f226212
• 7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986
• 7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca

SHA-1

• 6e8582faeaf34f63fbe0083a811bcce1aa6c31de
• e6c381859f53d0c0db9fcd30fa601ecb935b93e0
• 3a831bc0c30c6c330070d3065c4c7b39305a9822
• b86f648484364d6dbd0f42b526d4f25814ff00e7
• dd27145d9e4ec4a921b664183a9cbebee568c234

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Enforce strong password policies and consider implementing multi-factor authentication (MFA) to enhance access security.
• Deploy reputable and up-to-date endpoint protection solutions that include anti-malware, intrusion detection/prevention systems, and behavior-based detection mechanisms.
• Identify and address any vulnerabilities or weaknesses in the systems that were exploited during the breach. Apply security patches and updates to ensure the systems are up-to-date.
• Implement a robust backup strategy that includes regular and automated backups of critical data. Ensure that backups are stored securely offline or in an isolated environment to prevent ransomware from encrypting backup files.
• Implement strong encryption measures for sensitive data to protect it from unauthorized access. Employ data segmentation techniques to isolate critical systems and data from less secure areas.
• Establish ongoing monitoring processes and conduct periodic security assessments to identify and address any evolving threats or vulnerabilities. Continuously improve security measures based on lessons learned from the incident.