The Play ransomware gang has attacked 300 organizations since 2022

esteria.white

The ransomware group behind several devastating attacks on major US cities is believed to have launched more than 300 successful incidents since June 2022, according to cybersecurity officials in the US and Australia.

The FBI has joined the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber ​​Security Center to issue an advisory on the Play the ransomware gang Monday.

This year alone, the group has left cities like Oakland And Lowell, Massachusettsas well as Dallas County, scrambling for days to manage encrypted devices and masses of stolen citizen data. The government of Switzerland also warned in June, the group stole data during an attack against one of its IT service providers.

The agencies said The ransomware gang has attacked “a wide range of businesses and critical infrastructure across North America, South America, and Europe” over the past year and a half. The FBI was aware of approximately 300 “affected entities” as of October. In Australia, the first incident involving the group was seen in April, the most recent in November.

According to the notice, the group operates with more discretion than some of its competitors. In most cases, the gang does not include their demands in the ransom note, instead asking victims to contact them via email.

“The Play ransomware group is believed to be a closed group, designed to ‘ensure transaction secrecy,’ according to a statement posted on the group’s data leak website,” the agencies said. “Play ransomware actors use a double extortion model, encrypting systems after exfiltrating data. »

The gang typically exploits stolen account credentials and publicly available applications, targeting popular product vulnerabilities such as FortiOS CVE-2018-13379 and CVE-2020-12812, as well as ProxyNotShell vulnerabilities in Microsoft tools.

Hackers use various tools to steal information and scan for and disable antivirus software.

The gang typically appends the .play extension to file names after splitting the compromised data into smaller portions and exfiltrating it to hacker-controlled accounts.

“The Play ransomware group uses a double extortion model, encrypting systems after exfiltrating data. The ransom note asks victims to contact the Play ransomware group at an email address ending in @gmx(.)de,” they said.

“Ransom payments are paid in cryptocurrency to wallet addresses provided by Play actors. If a victim refuses to pay the ransom demand, the ransomware actors threaten to publish the exfiltrated data on their leak site on the Tor network ((.)Onion URL).”

When the Play Group first emerged in mid-2022, it targeted government entities in Latin America, according to Trend Micro. More recently, he made headlines for a damaging attack on the city of Oakland, which spent weeks recovering from the incident, as well as others involving Stanley Steemer and the organization that manages the public transportation system for central Virginia.

In April, the gang published 600 gigabytes data from the Oakland government after releasing an initial batch of 10 GB in March. The leaks included extensive sensitive data stolen from the city’s police department, driver’s license numbers, social security numbers, and even information about the city’s elected officials.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Leave a comment