Several disruptive attacks against U.S. municipal services this year were just the tip of the iceberg for the Play ransomware gang which, according to the FBI, hit almost 300 organizations in 17 months.
The threat group made headlines this year for attacks on the cities of Oakland, California and Lowell, Massachusetts, along with Dallas County, Texas. It has also claimed responsibility for a November attack against Virginia’s Greater Richmond Transit Company.
But its impact has extended beyond upending the delivery of public services and stealing citizen data.
Between June 2022 and October 2023, the gang exploited approximately 300 entities, according to a Dec. 18 joint cybersecurity advisory from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Cyber Security Centre.
In the advisory, the agencies said the group (also known as Playcrypt) impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. In Australia, its first incident was observed in April 2023 and the most recent one was in November.
“The Play ransomware group is presumed to be a closed group, designed to ‘guarantee the secrecy of deals,’ according to a statement on the group’s data leak website,” the advisory read.
“Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.”
The gang generally gained initial access to victims’ networks either by abusing stolen account credentials or by exploiting public-facing applications. It was known to take advantage of known vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and ProxyNotShell vulnerabilities in Microsoft Exchange (CVE-2022-41040 and CVE-2022-41082).
The group used a mix of repurposed legitimate tools and custom tools in its attacks which were recognizable because of the gang’s practice of adding a “.play” extension to file names during the exfiltration and encryption process.
“[The group uses] tools like GMER, IOBit, and PowerTool to disable anti-virus software and remove log files. In some instances, cybersecurity researchers have observed Play ransomware actors using PowerShell scripts to target Microsoft Defender,” the agencies said.
In a post last month, researchers at Adlumin said they had uncovered evidence the Play gang had recently begun selling the malware on a ransomware-as-a-service basis.
“Making it available to affiliates that might include sophisticated hackers, less-sophisticated ‘script kiddies’ and various levels of expertise in between, could dramatically increase the volume of attacks using the highly successful, Russia-linked Play ransomware,” the researchers said.
The agencies who issued the joint advisory recommended a range of steps organizations should take to mitigate against the ransomware gang. These included: prioritizing the remediation of known exploited vulnerabilities, enabling multifactor authentication wherever possible (particularly for webmail, VPNs, and accounts that access critical systems), ensuring software and applications were regularly patched and updated, and conducting regular vulnerability assessments.
