The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued a joint Cybersecurity Advisory (CSA) to alert network defenders of the Play ransomware group’s activities and provide mitigation recommendations.
The Play ransomware group, also known as Playcrypt, has been targeting businesses and critical infrastructure in North America, South America, and Europe since June 2022, using a double-extortion model that involves encrypting data and threatening to publish it on a leak site. The group is believed to be a closed group that guarantees the secrecy of deals, according to a statement on their data leak website.
The CSA details the indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the Play ransomware group, based on FBI investigations as of October 2023. The group exploits vulnerabilities in public-facing applications, such as FortiOS and Microsoft Exchange, and uses tools like Cobalt Strike, Mimikatz, and WinRAR to gain access, move laterally, dump credentials, compress and exfiltrate data, and encrypt files. The group also uses tools to disable anti-virus software and clear event logs to evade detection.
The CSA also provides a list of legitimate tools that the Play ransomware group has repurposed for their operations, such as AdFind, GMER, PowerShell, and WinSCP. The CSA advises network defenders to exercise caution when using or detecting these tools, as they may not necessarily indicate malicious activity.
The CSA recommends organizations to implement various mitigations to reduce the likelihood and impact of ransomware incidents, such as requiring multifactor authentication, keeping software and firmware updated, segmenting networks, maintaining offline backups, and reporting ransomware incidents to the authorities. The CSA also encourages organizations to test and validate their security controls against the MITRE ATT&CK for Enterprise framework, which maps the Play ransomware group’s TTPs to a common taxonomy.
The CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. The CSA directs organizations to visit stopransomware.gov for more resources and alerts on ransomware threats and no-cost resources.
See FBI, CISA, and ASD’s ACSC Release Advisory on Play Ransomware for more information.