Double extortion Play ransomware affects 300 organizations worldwide

Play Ransomware

The threat actors behind the Play ransomware are estimated to have affected around 300 entities by October 2023, according to a new joint cybersecurity advisory from Australia and the US.

“Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have affected a wide range of businesses and critical infrastructure organizations in North America, South America, Europe and Australia,” authorities say . said.

Play, also known as Balloonfly and PlayCrypt, emerged in 2022 and exploited security flaws in Microsoft Exchange servers (CVE-2022-41040 and CVE-2022-41082) and Fortinet devices (CVE-2018-13379 and CVE-2020- 12812) to breach enterprises and deploy file-encrypting malware.

It is worth pointing out that ransomware attacks are increasingly exploiting vulnerabilities rather than using phishing emails as initial infection vectors, from almost zero in the second half of 2022 to almost a third in the first half of 2023 . data from Corvus.

Cybersecurity firm Adlumin revealed in a report published last month that Play is being offered “as a service” to other threat actors, completing its transformation into a ransomware-as-a-service (RaaS) operation.

Ransomware attacks orchestrated by the group are characterized by the use of public and custom tools such as AdFind to run Active Directory queries, GMER, IOBit and PowerTool to disable antivirus software, and Grixba to collect network information sums and collect information about backup software and external systems. management tools installed on a machine.

The threat actors have also been observed performing lateral movement and data exfiltration and encryption steps, relying on Cobalt Strike, SystemBC and Mimikatz for post-exploitation.

“The Play ransomware group uses a double extortion model, encrypting systems after exfiltrating data,” the agencies said. “Ransom notes do not contain an initial ransom demand or payment instructions, but victims are instructed to contact the threat actors via email.”

According to statistics compiled by MalwarebytesPlay is said to have claimed almost 40 victims in November 2023 alone, but is significantly behind its peers LockBit And Black cat (also known as ALPHV and Noberus).

The warning comes days after US government agencies issued an updated bulletin on the Karakurt group, which is known to eschew encryption-based attacks in favor of outright extortion after gaining initial access to networks through the purchase of stolen credentials, intrusion brokers ( also called initial access brokers). ), phishing and known security flaws.

“Victims of Karakurt have not reported encryption of compromised machines or files; instead, Karakurt actors have claimed to steal data and threatened to auction or release it to the public unless they receive payment of the requested ransom,” the government said. said.

The developments also come in the middle speculations that the BlackCat ransomware may have been the target of a law enforcement operation after the dark web leak portals went offline for five days. However, the e-crime collective attributed the outage to a hardware fault.

In addition, there is said to be another emerging ransomware group known as NoEscape carried out an exit scameffectively “stealing the ransom and shutting down the group’s web panels and data leak sites”, prompting other gangs such as LockBit to recruit their former members.

That the ransomware landscape is constantly evolving and changing, whether due to external pressure from law enforcement, is not surprising. This is further evidenced by the collaboration between the ransomware gangs BianLian, White Rabbit and Mario in a joint extortion campaign targeting listed financial services companies.

“These cooperative ransom campaigns are rare, but may be becoming more common due to the involvement of Initial Access Brokers (IABs) working with multiple groups on the dark web,” Resecurity says. said in a report published last week.

“Another factor that could lead to increased cooperation is law enforcement interventions that create cybercriminal diaspora networks. Displaced participants in these threat actor networks may be more willing to cooperate with rivals.”


#Double #extortion #Play #ransomware #affects #organizations #worldwide

Notify of
Inline Feedbacks
View all comments
Previous Post
WebLogic Server Vulnerability

8220 gang exploits vulnerability of Oracle WebLogic servers to spread malware

Next Post
Zero-Click Outlook RCE Exploits

Experts reveal new details about RCE exploits in Zero-Click Outlook

Related Posts