Dark Web Profile: Play Ransomware

[Update] November 22, 2023: Read under title: “Play Ransomware Shifts to RaaS Model.”

[Update] July 7, 2023: The Play ransomware group has recently added 11 new victims to their Dark Web leak site. Added the subheading: “Play Ransomware Lists 11 New Victims from Distinct Industries.”

While cyber-attacks are increasing nowadays, threat actors seek to implement different methods and techniques as well. Ransomware is one of the most common cyber-attacks that are not new but developing a cybercrime industry that threatens several sectors and governments. Today, we’ll introduce you to a new player: Play Ransomware.

Who is Play Ransomware?

On Jun 22, 2022, in the BleepingComputer forum, someone wrote that his files were encrypted with the extension “Play.” Afterward, Trend Micro published an analysis article about the new ransomware variant, Play Ransomware. The main target of Play Ransomware is the Latin American region, and Brazil is at the top of the list. Even though they seem like a new ransomware group, their identified TTPs look like Hive and Nokayawa ransomware families. One of the similar behaviors that make them look similar are they use AdFind, a command-line query tool capable of collecting information from Active Directory.

How Do They Attack?

The Play Ransomware group uses a known valid account, exposed RDP servers, and FortiOS vulnerabilities CVE-2018-13379 and CVE-2020-12812 to gain initial access to an organization’s network. After getting access, they start using “lolbins” binaries like common ransomware group use as part of their attacks.

They distribute executables in the internal network via Group Policy Objects, then run scheduled tasks, PsExec or wmic. After they gain full access to the internal network, they encrypt files with the “.play” extension.

Figure 2. Play Ransomware infection chain (Source: Trend Micro)

Double extortion is a popular technique in which cyber actors threaten to exfiltrate sensitive data. Play Ransomware also uses double extortion against its victims. They can archive the breached data with WinRAR and then upload it to file-sharing sites.

Unique Type of Method: Intermittent Encryption

The researchers have found that the Play Ransomware group is the first threat actor resorting to intermittent encryption. This technique provides better evasion with partial encryption on the system that uses static analysis to detect ransomware infection.

Intermittent encryption is a new technique; based on the file size, it encrypts chunks of 0x100000 bytes.

For example:

2 chunks if the file size is less than or equal to 0x3fffffff bytes;
3 chunks if the file size is less than or equal to 0x27fffffff bytes;

The researchers observed that a sample encrypted every other 0x100000 byte chunk until the end of the file. The file consisted only of null characters, making the encrypted and non-encrypted chunks visually distinguishable.

Figure 3: Partial content of a file encrypted by PLAY (Source: SentinelOne)

Play Ransomware Hacks Xplain: Swiss Police, Army, and Customs are Affected

Swiss authorities are investigating a cyber attack that targeted a Bernese IT firm, Xplain. The attack impacted several federal and cantonal government departments that worked with the same IT company, including the cantonal police, the Swiss army, customs, and the Federal Office of Police (Fedpol).

The Play Ransomware gang has claimed responsibility for the attack and published the stolen data from Fedpol and the Federal Office for Customs and Border Security (FOCBS) on a dark web forum.

Affected parties Fedpol and FOCBS downplayed the incident, Fedpol stating that only simulated and anonymous test data was accessed. However, the FOCBS acknowledged that exposed data included correspondence with clients.

*Play Ransomware announces Xplain as a new victim (Source: SOCRadar Dark Web News)*

Play Ransomware Targets IT Companies

Play Ransomware has recently added more companies to its leak site, claiming to have hacked them. After Xplain’s hack, these companies included other IT providers named Paragon Software Lanka, Soroc Technology, and a cloud hosting provider, Black Cat Networks.

*Play Ransomware lists Paragon Software Lanka and Soroc Technology as victims (Source: SOCRadar Dark Web News)*

*Play Ransomware claims to have hacked cloud provider Black Cat Networks (Source: SOCRadar Dark Web News)*

Although the ransomware group did not disclose the size of data stolen from these organizations, they explained on leak posts that they stole private and confidential data, client and employee documents, as well as certain financial information from all the victims.

Major Spanish Bank Globalcaja Hit by Play Ransomware Attack

A major Spanish bank called Globalcaja has confirmed that it is facing a ransomware attack affecting multiple offices. The bank, located in Albacete, Spain, has over 300 branches nationwide and serves nearly 500,000 customers.

The Play ransomware group has claimed responsibility for the attack, stating that they have stolen private and confidential data, including client and employee documents, passports, and contracts.

The bank has stated that the attack has not affected customer transactions or electronic banking operations. They have activated security protocols, limited the performance of some operations, and are working to normalize the situation while prioritizing security. The bank has not commented on whether they will pay a ransom.

*Play Ransomware announces Globalcaja as a new victim (Source: SOCRadar Dark Web News)*

Play Ransomware Claims They Stole 600GB Data from Polycom

Another notable entry on the list is Poly (Polycom), a global communications firm based in the US. The ransomware operation posted Poly on the leak site on May 22, 2023, and claimed that they obtained 600GB of data, which included private and personal information, employee documents, social security numbers, IDs, passports, budget details, and financial information.

*Play Ransomware lists Polycom as a victim (Source: SOCRadar Dark Web News)*

Play Ransomware Attack Target: Argentina’s Judiciary of Córdoba

Figure 4. Argentina’s Judiciary of Córdoba

On Aug 13, 2022, Argentina’s Judiciary of Córdoba was targeted by Play Ransomware Group. They shut down Argentina’s Judiciary of Córdoba’s IT systems, databases, and online portals. Then they encrypted their files with “.play” extensions. After that, they left a simple ReadMe.txt to contact them.

Play Ransomware Lists 11 New Victims from Distinct Industries

The Play ransomware group recently came up with an alarming update on their Dark Web leak site: they added 11 new victims to the list. The victim organizations operate in diverse industries, and while nine originate from the United States, the remaining two are from the United Kingdom and Italy.

The list includes the manufacturer Indiana Dimension, Star Island Resort and Club, towing firm Lazer Tow, traffic control company Safety Network, logistics firm Capacity LLC, retailers Betty Lou’s Inc and MUJI UK, Geneva Software, hardware manufacturer Uniquify Inc, NST Law firm in the legal field, and Lawer SpA operating in the industrial sector.

Play Ransomware's Victim Listing — *Play Ransomware’s Victim Listing *(Source:* *Twitter*)*

The Play ransomware group claims to have successfully hacked the systems of these organizations and threatens to expose their private and personal data if the ransom demand is not paid, including sensitive client and employee documents, contracts, as well as financial, HR, and passport information in certain cases.

Play Ransomware Shifts to RaaS Model

Researchers have uncovered a significant development, as Play Ransomware transitions to a Ransomware-as-a-Service (RaaS) model. A recent in-depth analysis, based on various Play ransomware attacks, reveals a striking uniformity in tactics and procedures across different sectors, indicating the use of predefined playbooks or instructions, possibly supplied by a RaaS kit.

In recent months, researchers have seen Play attacks with nearly identical TTPs, such as the use of the public music folder (C:\…\public\music) to hide the malicious file, the same password to create high-privilege accounts, and the same commands.

The victims who were targeted all had a similar profile. The targeting of smaller organizations with a financial capacity for ransom payments of around $1 million is particularly concerning.

For a detailed list of Indicators of Compromise, refer to the full research.

How Could This Revelation Impact the Cybersecurity Landscape?

Play Ransomware was distinct from other operations with the involvement of its developers in executing attacks. Play’s transformation into a RaaS marks a notable shift as developers are now separated from attackers, while Play also becomes an enticing option for other threat actors. Consequently, the cybersecurity landscape must anticipate a surge in incidents and strengthen defenses accordingly.

What are the Security Recommendations?

Play Ransomware attacks emphasize the evolution of cyber threats. Recently, threat actors implement advanced evasion techniques to avoid detection by security tools. Therefore, you should deploy more security components like CTI platforms to get in intelligence about new threats from the dark web and learn about a specific threat against your company. Additionally, some curated mitigation steps are below.

Employ MFA (multifactor authentication) for all possible services to prevent attackers’ lateral movements.
Apply the least privilege principle, especially to critical systems and services.
Enable logical and physical network segmentation for separation of different units’ accesses.
Deploy attack surface management (ASM), assisting in understanding cyber assets.
Secure domain controllers (DC) using best practices.
Maintain offline and encrypted backups of data, especially the 3-2-1 backup rule for essential files.
Track security patches and software/OS updates regularly.

Stay Informed with SOCRadar’s Dark Web News

Stay up to date with the latest happenings in the dark web, including the notorious Play Ransomware, through the comprehensive Dark Web News module offered by SOCRadar.

Dive into a wealth of information and stay informed about the latest updates, including Play Ransomware.