Ad
Image: nicescene/Adobe Stock
The FBI, CISA, and the Australian Cyber Security Center have issued an advisory about the Play ransomware group also known as Playcrypt, which has impacted businesses and critical infrastructure in North America, South America, and Europe.
Play ransomware was one of the most active ransomware groups in 2024, the advisory said.
As of May, the group had breached more than 900 organizations in multiple countries since its launch in June 2022, according to the FBI. In Australia, the first Play ransomware incident was reported in April 2023, with the most recent incident occurring in November of that year.
Multiple ransomware groups, including initial access brokers with ties to Play ransomware operators, have exploited three vulnerabilities, including CVE-2024-57727, in the remote monitoring and management (RMM) tool SimpleHelp. This has enabled operators to conduct remote code execution on numerous US-based organizations since mid-January.
SEE: Will Massive Security Glossary From Microsoft, Google, CrowdStrike, Palo Alto Improve Collaboration?
Ransomware group’s methods include using double extortion
The Play ransomware group gains initial access to victim networks by abusing valid accounts, likely purchased on the dark web, and exploiting public-facing applications, according to the advisory.
Play ransomware actors have used external-facing services such as Remote Desktop Protocol (RDP) and virtual private networks (VPNs) for initial access. Once they are inside a network, the ransomware actors search for unsecured credentials and use the Mimikatz credential dumper to gain access to domain administrator accounts.
SEE: TechRepublic Exclusive: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure’
The Play ransomware group is designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. The actors send a unique @gmx.de or @web[.]d email, and there is no initial ransom demand or payment instructions in the ransom notes; instead, victims are instructed to contact the threat actors via email.
“A portion of victims are contacted via telephone and are threatened with the release of the stolen data and encouraged to pay the ransom,” the advisory says.
The actors employ a double extortion model, encrypting systems after exfiltrating data.
Must-read security coverage
Steps organizations should take now to reduce cyber threat risks
To mitigate cyber threats from Play ransomware, the advisory stressed that organizations take the following actions:
- Prioritize remediating known exploited vulnerabilities.
- Enable multifactor authentication (MFA) for all services, particularly for webmail, VPN, and accounts that access critical systems.
- Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.
Authorities urge organizations to stay vigilant, patch systems promptly, and strengthen access controls to reduce risk.
Ad
