play
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to other ransomwares, involving attacks such as Phishing, Exposed Services to the Internet, and Valid Account compromises. On April 19, 2023, the security company Symantec published two new tools developed by the Play group. These tools allow the malicious actor to enumerate and exfiltrate data from the internal network. The post mentions the following: 'Play threat actors use the .NET infostealer to enumerate software and services via WMI, WinRM, Remote Registry, and Remote Service. The malware checks for the existence of security and backup software, as well as remote administration tools and other programs, saving the information in .CSV files that are compressed into a .ZIP file for later manual exfiltration by threat actors.'Source: https://github.com/crocodyli/ThreatActors-TTPs
- Unspecified
- Consumer Services
- Business Services
- Technology
- Transportation/Logistics
- Telecommunication
- Construction
- Agriculture and Food Production
- TA0001Initial Access
- TA0002Execution
- T1053.005Scheduled Task/Job: Scheduled Task
Scheduled tasks used for payload persistence and execution across compromised hosts.
- T1059Command and Scripting Interpreter
- T1059.001Command and Scripting Interpreter: PowerShell
PowerShell scripts used for payload execution and post-exploitation tooling deployment.
- TA0005Defense Evasion
- T1027Obfuscated Files or Information
Play ransomware payloads are split into multiple parts to bypass AV scanning; parts reassembled on target systems.
- T1070Indicator Removal
- T1070.001Indicator Removal: Clear Windows Event Logs
Windows event logs wiped to remove forensic evidence using wevtutil.
- T1484Domain or Tenant Policy Modification
- T1484.001Domain or Tenant Policy Modification: Group Policy Modification
- T1562.001Disable or Modify Tools
Security tools including Windows Defender and AV products disabled prior to encryption.
- TA0006Credential Access
- TA0007Discovery
- T1016System Network Configuration Discovery
- T1046Network Service Discovery
Network scanning tools used to enumerate hosts, services, and potential lateral movement targets.
- T1087.002Account Discovery: Domain Account
Active Directory enumeration to identify privileged accounts and high-value targets.
- T1518Software Discovery
- T1518.001Software Discovery: Security Software Discovery
- TA0008Lateral Movement
- TA0009Collection
- TA0010Exfiltration
- T1048Exfiltration Over Alternative Protocol
WinSCP and Rclone used to exfiltrate data to actor-controlled infrastructure and cloud storage ahead of encryption.
- TA0011Command and Control
- T1219Remote Access Software
Cobalt Strike, SystemBC, and AnyDesk used as C2 frameworks for persistent access.
- TA0040Impact
- T1486Data Encrypted for Impact
Play ransomware uses AES-RSA hybrid encryption. Files appended with .play extension. Targets Windows and Linux/ESXi environments. Double extortion model with data published on Play leak site. Notable for NOT including ransom note in individual encrypted files — single note left at root of C: drive.
- T1489Service Stop
Database, mail, backup, and security services terminated before encryption to ensure maximum file access.
- T1490Inhibit System Recovery
Shadow copies deleted and Windows recovery disabled to prevent victim restoration of files.
- T1657Financial Theft