November 21, 2023 at 09:00AM
The ransomware strain Play is now available as a service for other threat actors, according to cybersecurity company Adlumin. Affiliates who purchase the ransomware follow step-by-step instructions from playbooks delivered with it, resulting in attacks with minimal variations. Play, also known as Balloonfly and PlayCrypt, has previously targeted networks through Microsoft Exchange Server vulnerabilities and is now transitioning into a lucrative Ransomware-as-a-Service (RaaS) operation, attracting both professional hackers and script kiddies. Businesses and authorities should prepare for an increasing number of Play-related incidents.
From the meeting notes, it is clear that the ransomware strain known as Play has now transitioned into a ransomware-as-a-service (RaaS) model. Adlumin has discovered evidence suggesting that affiliates are purchasing the Play ransomware and executing attacks using step-by-step instructions provided with the ransomware.
Adlumin’s analysis of various Play ransomware attacks across different sectors revealed consistent tactics and sequences being employed. These include the use of the public music folder to conceal malicious files, the creation of high-privilege accounts with the same password, and the execution of identical commands in both attacks.
Play, also known as Balloonfly and PlayCrypt, initially emerged in June 2022 and targeted networks by exploiting vulnerabilities in Microsoft Exchange Server. The operators responsible for developing the ransomware were also the ones carrying out the attacks, distinguishing Play from other ransomware groups.
However, the recent development indicates a shift towards a RaaS operation, transforming Play into a lucrative option for cybercriminals. RaaS operators are advertising ransomware kits that provide hackers with all the necessary resources, including documentation, forums, technical support, and assistance with ransom negotiations. This accessibility may entice script kiddies to engage in ransomware attacks, leading to a potential rise in incidents that organizations and authorities should be prepared for.
To stay informed about similar content, you can follow the company on Twitter and LinkedIn.