Several disruptive attacks on US municipal services this year were just the tip of the iceberg for the Play ransomware gang, which the FBI says has affected nearly 300 organizations in 17 months.
The menacing group has made headlines this year for its attacks on cities in Oakland, California And Lowell, Massachusettswith Dallas County, Texas. He also claimed responsibility for a November attack on Greater Richmond Transit Company of Virginia.
But its impact goes beyond disrupting public service delivery and stealing citizen data.
Between June 2022 and October 2023, the gang operated approximately 300 entities, according to a Dec. 18 report. joint opinion on cybersecurity from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber Security Center of the Australian Signals Directorate.
In the notice, the agencies said the group (also known as Playcrypt) impacted a wide range of businesses and critical infrastructure across North America, South America and Europe. In Australia, its first incident was observed in April 2023 and the most recent in November.
“The Play ransomware group is alleged to be a closed group, designed to ‘ensure transaction secrecy,’ according to a statement posted on the group’s data leak website,” the advisory said.
“Play ransomware actors use a double extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions. Victims are instead encouraged to contact the threat actors via email.
The gang typically gained initial access to victims’ networks either by misusing stolen account credentials or exploiting publicly available applications. It was known to take advantage of known FortiOS vulnerabilities (CVE-2018-13379 And CVE-2020-12812) And ProxyNotShell Vulnerabilities in Microsoft Exchange (CVE-2022-41040 And CVE-2022-41082).
The group used a mix of repurposed legitimate tools and custom tools in its attacks, recognizable due to the gang’s practice of appending a “.play” extension to file names during the exfiltration and encryption process .
“(The group uses) tools like GMER, IOBit and PowerTool to disable antivirus software and delete log files. In some cases, cybersecurity researchers observed Play ransomware actors using PowerShell scripts to target Microsoft Defender,” the agencies said.
In a paper published last month, Adlumin researchers said they had discovered evidence that the Play gang had recently started selling the malware on a ransomware base as a service.
“Making it available to affiliates that could include sophisticated hackers, less sophisticated “script kiddies,” and varying levels of expertise in between, could significantly increase the volume of attacks using the highly successful, Russia-linked Play ransomware “, the researchers said.
The agencies that issued the joint advisory recommended a series of steps that organizations should take to combat the ransomware gang. These include: prioritizing the remediation of known exploited vulnerabilities, enabling multi-factor authentication where possible (particularly for webmail, VPNs and accounts that access critical systems), ensuring that Software and applications are regularly patched and updated and conduct regular vulnerability assessments.