The “.play” extension is added by the ransomware after files have been encrypted, hence the name “play.” Additionally, the email address of the ransomware group and the single word “PLAY” are included in the ransom note.
According to security vendor Trend Micro, the threat actors behind the Play ransomware have been abusing new vulnerabilities and adding new tools to their ever-expanding toolkit. These vulnerabilities include Microsoft Exchange Server Remote Code Execution, OWASSRF, and ProxyNotShell.
Data points to a potential connection between Play and different families of ransomware. For instance, it uses some of the same strategies and resources as the ransomware Hive, Nokoyawa, and Quantum, which is a branch of the Conti ransomware family.
According to fresh data uncovered by Adlumin, other threat actors are currently being offered the ransomware strain known as Play “as a service.”
According to a cybersecurity company report, “the unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it.”
The results are based on multiple Play ransomware attacks that Adlumin tracked, covering a variety of industries and using nearly identical strategies executed in the same order.
This includes creating high-privilege accounts using the same password, using the public music folder (C:\…\public\music) to conceal the malicious file, using the same commands, and both attacks.
Play, also known as Balloonfly and PlayCrypt, was first discovered in June 2022. It took advantage of security holes in Microsoft Exchange Server, specifically OWASSRF and ProxyNotShell, to enter networks, drop remote administration tools like AnyDesk, and then release the ransomware.
A noteworthy characteristic that distinguished Play ransomware from other ransomware groups was that the operators responsible for creating the malware also executed the attacks, in addition to employing specialized data collection instruments such as Grixba for double extortion.
Thus, the recent development signals a change and completes its conversion into a RaaS operation, rendering it a profitable choice for cybercriminals.
“When RaaS operators advertise ransomware kits that come with everything a hacker will need, including documentation, forums, technical support, and ransom negotiation support, script kiddies will be tempted to try their luck and put their skills to use,” said Adlumin.
He further added “And since there are probably more script kiddies than ‘real hackers’ today, businesses and authorities should take note and prepare for a growing wave of incidents.”
The RaaS ecosystem highlights risks that businesses must deal with
Dr. Jason Nurse, a cyber security reader at the Institute of Cyber Security for Society at the University of Kent, tells Cyber Security Hub that organizations should be concerned about any ransomware group that is starting to offer its services as a service. A contributor to the Victim Experience project by the Royal United Services Institute (RUSI), which studies the effects of ransomware on victims, economies, and societies, is Nurse.
“The RaaS model poses a significant threat because it gives criminals the ability to scale their attacks and directly aids in their upskilling; attackers who previously lacked the technical know-how or capacity to launch a ransomware attack would now possess it.” He says that they can launch attacks at any target they choose. The risk environment for enterprises grows as more ransomware groups adopt the RaaS model. Several groups could be using a suite of ransomware tools to target the business instead of just one.
RaaS assaults are “easier to detect.”
Ransomware delivered as a service can be simpler to detect due to the common deployment techniques, according to Adlumin, even with the growing RaaS market posing greater threats. The company stated that “analysts, researchers, and law enforcement can greatly benefit from IOCs, such as malicious IP addresses, domains, TOR addresses, emails, hashes, executables, and others discovered from an attack.” They provide some insight into the level of sophistication of the attackers and act as hints to help piece together what happened during an incident and how it continued.
“Through the first few attacks, threat actors who use playbooks provided by RaaS are likely to follow them closely. Errors will occur, and if they are significant enough, the authorities may be able to use them as a guide.