FBI, CISA, ASD issue advisory warning of Play ransomware global threat using double extortion tactics

The U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have collaborated to release a joint Cybersecurity Advisory (CSA). The guidance provides important information about the tactics, techniques, and procedures (TTPs) used by the Play ransomware group, as well as indicators of compromise (IOCs) that have been identified through recent FBI investigations, as recent as October. 

The advisory comes in the wake of the Play ransomware hackers having adopted a double-extortion approach, where they first exfiltrate data and then encrypt systems. Their attacks have had a significant impact on various businesses and critical infrastructure organizations across North America, South America, Europe, and Australia.

“Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe,” the advisory disclosed. “As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors. In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023.”

It added that the Play ransomware group is presumed to be a closed group, designed to ‘guarantee the secrecy of deals,’ according to a statement on the group’s data leak website. “Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.”

Additionally, the advisory detailed that the ransom note directs victims to contact the Play ransomware group at an email address ending in @gmx[dot]de. “Ransom payments are paid in cryptocurrency to wallet addresses provided by Play actors. If a victim refuses to pay the ransom demand, the ransomware actors threaten to publish exfiltrated data to their leak site on the Tor network ([dot]onion URL),” it added. 

The Play ransomware group gains initial access to victim networks through the abuse of valid accounts and exploitation of public-facing applications, specifically through known FortiOS and Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]) vulnerabilities. Play ransomware actors have been observed to use external-facing services such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.

The advisory disclosed that Play ransomware actors use tools like AdFind to run Active Directory queries and Grixba, an information-stealer, to enumerate network information and scan for antivirus software. “Actors also use tools like GMER, IOBit, and PowerTool to disable anti-virus software and remove log files. In some instances, cybersecurity researchers have observed Play ransomware actors using PowerShell scripts to target Microsoft Defender,” it added.

Play ransomware hackers use command and control (C2) applications, including Cobalt Strike and SystemBC, and tools like PsExec, to assist with lateral movement and file execution. Once established on a network, the ransomware actors search for unsecured credentials and use the Mimikatz credential dumper to gain domain administrator access. 

According to open-source reporting, to further enumerate vulnerabilities, Play ransomware hackers use Windows Privilege Escalation Awesome Scripts (WinPEAS) to search for additional privilege escalation paths. The hackers then distribute executables via Group Policy Objects.

The hackers often split compromised data into segments and use tools like WinRAR to compress files into [dot]RAR format for exfiltration, the advisory identified. “The actors then use WinSCP to transfer data from a compromised network to actor-controlled accounts. Following exfiltration, files are encrypted with AES-RSA hybrid encryption using intermittent encryption, encrypting every other file portion of 0x100000 bytes.”

The FBI, CISA, and ASD’s ACSC recommend organizations implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. They also require all accounts with password logins to comply with NIST’s standards for developing and managing password policies and require multi-factor authentication for all services to the extent possible. 

It also calls for keeping all operating systems, software, and firmware up to date and timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. 

The advisory called upon organizations to segment networks to prevent the spread of ransomware and can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. It also helps to identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool; filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems; install, regularly update, and enable real-time detection for antivirus software on all hosts; and review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts. 

It also suggests auditing user accounts with administrative privileges and configuring access controls according to the principle of least privilege; disabling unused ports and hyperlinks in received emails. 

The advisory also suggests implementing time-based access for accounts set at the admin level and higher; disabling command-line and scripting activities and permissions; maintaining offline backups of data and maintaining backup and restoration, and ensuring backup data is encrypted and immutable. 

Last week, security agencies from the U.S. and Europe alerted public and private organizations on the activities of Russian Foreign Intelligence Service (SVR) cyber hackers, who are also known by various names such as APT 29, the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard. These hackers have been exploiting CVE-2023-42793 on a large scale, targeting servers that host JetBrains TeamCity software since September.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.