FOCUS MODE
EXTRACT IOC
Threat Research

Play Ransomware: Exposing One of 2024’s Greediest Cyber Extortionists

Picussecurity
Play Ransomware: Exposing One of 2024’s Greediest Cyber Extortionists
Play ransomware, also known as PlayCrypt, is a cybercrime organization that has surfaced since 2022, targeting organizations globally through sophisticated double-extortion tactics. They encrypt systems after exfiltrating sensitive data, demanding communication via email without revealing ransom amounts. The group has stricken over 300 entities across multiple sectors such as telecommunications, healthcare, and government. This article explores the tactics and strategies employed by Play ransomware, along with suggestions for defense strategies.
Affected: telecommunications, healthcare, media, transportation, construction, government

Keypoints :

  • Play ransomware uses a double-extortion model, encrypting systems post-data exfiltration.
  • The group has targeted over 300 organizations worldwide, including various sectors.
  • Play ransomware employs advanced tactics and tools like Cobalt Strike and Mimikatz.
  • Defense strategies include implementing EDR solutions, network segmentation, and maintaining offline backups.
  • Continuous testing and validation of security controls are essential to counter the threat.

MITRE Techniques :

  • TA0002: Execution – T1106: Native API – Used Cobalt Strike for lateral movement and file execution.
  • TA0002: Execution – T1059: Command and Scripting Interpreter – Utilized WinPEAS for privilege escalation.
  • TA0003: Persistence – T1543: Create or Modify System Process – Created scheduled tasks via schtasks for persistence.
  • TA0007: Discovery – T1018: Remote System Discovery – Leveraged Adfind tool for network reconnaissance.
  • TA0006: Credential Access – T1003.001: OS Credential Dumping – Used Mimikatz to dump credentials from LSASS memory.
  • TA0011: Command and Control – T1090.001: Proxy – Manipulated firewall rules using netsh command.
  • TA0040: Impact – T1491.001: Defacement – Attempted to write a ransom note file on the C drive.

Indicator of Compromise :

  • [Command] cmd.exe /c rundll32.exe “%TMP%cspipe.dll”,cspipe
  • [Command] cmd.exe /c “%TMP%adfind.exe” -f objectcategory=computer -csv name cn OperatingSystem dNSHostName > “%TMP%some.csv”
  • [Command] cmd.exe /c nltest /dclist:
  • [Command] wmic.exe logicaldisk get size,freespace,caption
  • [Command] %TMP%procdump.exe -accepteula -ma lsass.exe “%TMP%lsass.dmp”

Full Story: https://www.picussecurity.com/resource/blog/play-ransomware

Tags: DEFENSE EVASION, RECONNAISSANCE, TOOL, MONITOR, PROXY, PRIVILEGE, LATERAL MOVEMENT, EMAIL