On February 6, 2024, Play ransomware added 13 new organizations to their leak site marking a recent spike in the cybercrime group's activity. This trend is also consistent with the prevalent targeting of small-medium enterprises engaged in various segments linked to real estate and constructions sectors - same pattern recently observed in connection with 8base, a separate ransomware operation.
Here we provide an analysis of the monitoring data we collected from November 1, 2023 onwards.
Prevalent Targeting Of Western Countries
In the timeframe of our monitoring, Play events were observed in a relatively limited geographic area, with the overwhelming majority of the claimed victims being located in Western countries, specifically in North America and Western Europe.
Consistent with a consolidated global trend, the United States (US) stands as the most impacted country; more than half of the total Play attacks targeted US-based organizations. With a broader view of the NAM region, Canada figures on the list of impacted countries with less than 10 percent of the volume of attacks targeting its neighbor.
In Europe, the United Kingdom (UK), Germany, and the Netherlands were the most impacted countries. However, the volume of attacks is particularly small when compared to the US. Other attacks were observed in France, Sweden, Luxembourg, and Denmark.
Interestingly enough, only two Play events observed in the timeframe of analysis impacted organizations outside the NAM and Europe regions; targeted countries were South Africa and Australia with one claimed victim respectively.
Targeting of these countries may be consistent with the cybercriminals' attempt to focus on large economies in the Western part of the world. That may be especially the case for the US which, being a very large economy, is often a preferential target of cybercriminals. The UK and Germany can be considered large economies, particularly at regional level. The same rationale may explain the targeting of an Australian organization. However, the magnitude of the targeted economies alone may be insufficient to explain such specific targeting; large economies in Asia (e.g. China and India) and LATAM (e.g. Brazil) were not targeted despite being frequent targets of other ransomware groups.
While lacking conclusive evidence, this observation may suggest that, alongside the financial gain aims, Play affiliates chose their targets with a geopolitical agenda aligned with Russian state interests. This hypothesis may be supported by the extensive TrendMicro analysis, which highlights commonalities between Play and a Conti-derived ransomware.
Impact By Country
USA, 57
UK, 6
Germany, 4
Canada, 4
Netherlands, 3
France, 1
Sweden, 1
Denmark, 1
Luxembourg, 1
South Africa, 1
Australia, 1
Recent Focus On Real Estate
Play ransomware predominantly targets SMEs. According to the data obtained via our monitoring, the manufacturing sector was the most widely impacted. Targeted businesses are engaged in a wide variety of segments, including but not exclusively the production of home appliances, furniture, and industrial tools.
During the fall of 2023, businesses engaged in retail, including e-commerce, were disproportionately targeted. Based on data emerging this week, Play ransomware operations appear to be targeting companies engaged in the real estate sector more frequently. The latter is being defined quite extensively, including segments such as real estate agencies, construction contractors, and property management companies.
Sectors that have been historically targeted include logistics and technology.
Activity Patterns
Provided our data reflects a timespan starting from November 1, 2023, the timing of Play posting may suggest temporal patterns in their activity:
On November 9, 2023, Play posted a notable number of events, surpassing the usual frequency. A similar surge in activity was observed approximately a week later, on November 15, 2023, with an even higher number of posts.
After a period of about two weeks with low intensity, marked by only two events, Play's activity peaked again on November 28, 2023. This peak was replicated one week later, on December 7, 2023.
On February 6, 2024, the cybercrime operation posted a substantial number of claims, exceeding any previous daily metrics. While speculative, this observation raises the potential of a recurring pattern in Play's activity. However, it is important to note that this is only a hypothesis, and there is currently no evidence to confirm such a pattern. We can only observe and analyze the data over time to see if any consistent trends emerge.
The period from December 19 to 21, 2023, may also support this trend. While the volume of activity was notably lower than that observed during the November-December and February peaks, those two days still exhibited a volume higher than the December average. It is important to consider the context as well; the overall trend during the holiday season showed reduced reported ransomware activity.
Infection Chain
The typical Play infection chain relies on a variety of open source tools that are used in various steps of the chain as well as living-off-the-land techniques in leveraging Windows build-in utilities.
Initial intrusion occurs frequently via phishing, or via exploitation of vulnerabilities, including weak / compromised credentials to gain foothold in remote desktop protocol (RDP) servers or corporate virtual private networks (VPNs). Moreover, intrusion has historically relied on remote code execution vulnerabilities impacting FortiOS and Microsoft Exchange Server, including CVE-2022-41082.
After initial access has been obtained, the actor performs a number of actions consistent with attempts to evade detection, including hiding malicious traffic via tools such as SystemBC and SSH via Plink. Additionally, the actor targets specific processes, particularly security solutions, that are disabled via PowerShell commands.
Once the actor is on the network, Play deploys tools including active directory (AD) query tools (i.e., AD Find and Bloodhound), credential sniffers such as Mimikatz, used to capture credentials for privileged accounts, and typical penetration testing framework such as Cobalt Strike and Empire.
Once specific resources and accounts have been identified, privilege escalation occurs via tools such as WinPEAS. At that point, the actor proceeds with exfiltrating the victim's data; files are compressed via WinRAR and exfiltrated via WinSCP using secure file transfer Protocol (SFTP). After exfiltrating the data, the Play ransomware is deployed and the ransom note is dropped.
Proactive steps to mitigate the Play ransomware threat include foundational cybersecurity hygiene, including anti-phishing training, strong password policies, and patch management, particularly in connection with VPNs and MS Exchange Server. Additionally, it is important to research unusual logs consistent with the usage of tools typically included in the Play infection chain, and unusual login activity via VPNs.