Reading:
Dark Web Profile: Play Ransomware

Dark Web Profile: Play Ransomware

October 10, 2022

While cyber-attacks are increasing nowadays, threat actors seek to implement different methods and techniques as well. Ransomware is one of the most common cyber-attacks that are not new but developing a cybercrime industry that threatens several sectors and governments. Today, we’ll introduce you to a new player: Play Ransomware.

Who is Play Ransomware? 

On Jun 22, 2022, in the BleepingComputer forum, someone wrote that his files were encrypted with the extension “Play.” Afterward, Trend Micro published an analysis article about the new ransomware variant, Play Ransomware. The main target of Play Ransomware is the Latin American region, and Brazil is at the top of the list. Even though they seem like a new ransomware group, their identified TTPs look like Hive and Nokayawa ransomware families. One of the similar behaviors that make them look similar are they use AdFind, a command-line query tool capable of collecting information from Active Directory.

Play Ransomware first seen
Figure 1. Play Ransomware first seen

How Do They Attack? 

The Play Ransomware group uses a known valid account, exposed RDP servers, and FortiOS vulnerabilities CVE-2018-13379 and CVE-2020-12812 to gain initial access to an organization’s network. After getting access, they start using “lolbins” binaries like common ransomware group use as part of their attacks. 

They distribute executables in the internal network via Group Policy Objects, then run scheduled tasks, PsExec or wmic. After they gain full access to the internal network, they encrypt files with the “.play” extension.

Play Ransomware infection chain
Figure 2. Play Ransomware infection chain (Source: Trend Micro)

Double extortion is a popular technique in which cyber actors threaten to exfiltrate sensitive data. Play Ransomware also uses double extortion against its victims. They can archive the breached data with WinRAR and then upload it to file-sharing sites.

Unique Type of Method: Intermittent Encryption 

The researchers have found that the Play Ransomware group is the first threat actor resorting to intermittent encryption. This technique provides better evasion with partial encryption on the system that uses static analysis to detect ransomware infection

Intermittent encryption is a new technique; based on the file size, it encrypts chunks of 0x100000 bytes. 

For example: 

  • 2 chunks if the file size is less than or equal to 0x3fffffff bytes; 
  • 3 chunks if the file size is less than or equal to 0x27fffffff bytes; 

The researchers observed that a sample encrypted every other 0x100000 byte chunk until the end of the file. The file consisted only of null characters, making the encrypted and non-encrypted chunks visually distinguishable.

Partial content of a file encrypted by PLAY
Figure 3: Partial content of a file encrypted by PLAY (Source: SentinelOne)

Play Ransomware Attack Target: Argentina’s Judiciary of Córdoba

Figure 4. Argentina’s Judiciary of Córdoba

On Aug 13, 2022, Argentina’s Judiciary of Córdoba was targeted by Play Ransomware Group. They shut down Argentina’s Judiciary of Córdoba’s IT systems, databases, and online portals. Then they encrypted their files with “.play” extensions. After that, they left a simple ReadMe.txt to contact them.

Play Ransomware ReadMe.txt 
Figure 5. Play Ransomware ReadMe.txt 

What are the Security Recommendations? 

Play Ransomware attacks emphasize the evolution of cyber threats. Recently, threat actors implement advanced evasion techniques to avoid detection by security tools. Therefore, you should deploy more security components like CTI platforms to get in intelligence about new threats from the dark web and learn about a specific threat against your company. Additionally, some curated mitigation steps are below. 

  • Employ MFA (multifactor authentication) for all possible services to prevent attackers’ lateral movements. 
  • Apply the least privilege principle, especially to critical systems and services. 
  • Enable logical and physical network segmentation for separation of different units’ accesses. 
  • Deploy attack surface management (ASM), assisting in understanding cyber assets. 
  • Secure domain controllers (DC) using best practices. 
  • Maintain offline and encrypted backups of data, especially the 3-2-1 backup rule for essential files. 
  • Track security patches and software/OS updates regularly.

IOCs

Hashes 

  • fc2b98c4f03a246f6564cc778c03f1f9057510efb578ed3e9d8e8b0e5516bd49
  • c316627897a78558356662a6c64621ae25c3c3893f4b363a4b3f27086246038d
  • c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3
  • e1c75f863749a522b244bfa09fb694b0cc2ae0048b4ab72cb74fcf73d971777b
  • 094d1476331d6f693f1d546b53f1c1a42863e6cde014e2ed655f3cbe63e5ecde
  • e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173
  • d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f
  • c88b284bac8cd639861c6f364808fac2594f0069208e756d2f66f943a23e3022
  • f18bc899bcacd28aaa016d220ea8df4db540795e588f8887fe8ee9b697ef819f
  • e641b622b1f180fe189e3f39b3466b16ca5040b5a1869e5d30c92cca5727d3f0
  • 608e2b023dc8f7e02ae2000fc7dbfc24e47807d1e4264cbd6bb5839c81f91934
  • 006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
  • e4f32fe39ce7f9f293ccbfde30adfdc36caf7cfb6ccc396870527f45534b840b
  • 8962de34e5d63228d5ab037c87262e5b13bb9c17e73e5db7d6be4212d66f1c22
  • 5573cbe13c0dbfd3d0e467b9907f3a89c1c133c774ada906ea256e228ae885d5
  • f6072ff57c1cfe74b88f521d70c524bcbbb60c561705e9febe033f51131be408
  • 7d14b98cdc1b898bd0d9be80398fc59ab560e8c44e0a9dedac8ad4ece3d450b0
  • dcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087
  • f5c2391dbd7ebb28d36d7089ef04f1bd9d366a31e3902abed1755708207498c0
  • 14177730443c70aefeeda3162b324fdedf9cf9e0
  • 3e6317229d122073f57264d6f69ae3e145decad3666ddad8173c942e80588e69

URLs

  • hxxp://84.32.190[.]37:80/ahgffxvbghgfv
  • hxxp://newspraize[.]com
  • hxxp://realmacnow[.]com
  • 172.67.176[.]244
  • 104.21.43[.]80
  • hxxp://67.205.182[.]129/u2/upload[.]php