December 19, 2023 at 06:03AM
CISA, FBI, and ACSC have issued an advisory on Play ransomware, detailing its tactics, targets, and impact. The ransomware gang uses double-extortion tactics, exploits various vulnerabilities for access, and encrypts victim data. The advisory includes indicators of compromise, mitigation steps, and recommends testing security controls against the threat behaviors outlined in the advisory.
Key takeaways from the meeting notes are as follows:
1. The US cybersecurity agency CISA, the FBI, and the Australian Cyber Security Centre (ACSC) have published a new advisory on the Play ransomware attacks, detailing the tactics, techniques, and procedures (TTPs) associated with this cyber threat.
2. The Play ransomware, also known as Playcrypt, has been active since June 2022, targeting organizations in the Americas and Europe. The FBI is aware of approximately 300 victims as of October 2023, with approximately 100 additional alleged victims added to the group’s leak website in the past two months.
3. The Play ransomware gang engages in double-extortion tactics, encrypting victims’ systems and exfiltrating their data, threatening to release it publicly unless a ransom is paid.
4. The group has exploited FortiOS and Microsoft Exchange vulnerabilities, as well as valid credentials, and has been observed using RDP and VPN services for initial access.
5. Following initial access, the Play ransomware gang uses various tools for Active Directory discovery, network enumeration, anti-virus software identification and disabling, log file removal, lateral movement, credential harvesting, and vulnerability discovery. They have also been seen deploying executables via Group Policy Objects (GPO).
6. The group harvests victim data, splits it into segments, and exfiltrates it to the command-and-control (C&C) server compressed as RAR files. They then encrypt compromised systems using AES-RSA hybrid encryption. Victims are instructed to contact the gang at an email address ending in @gmx[.]de and to pay a ransom demand in cryptocurrency to a provided wallet address.
7. The government agencies provide indicators-of-compromise (IoCs) associated with Play ransomware attacks, along with recommended mitigation steps, which include the implementation of a recovery plan, the use of strong authentication methods, updating systems and applications, monitoring networks for suspicious activity, using security solutions, and enhancing email protections.
8. Additionally, the FBI, CISA, and ACSC recommend testing existing security controls inventory to assess how they perform against the techniques described in the advisory, based on the MITRE ATT&CK for Enterprise framework.
These takeaways summarize the key points from the meeting notes concerning the Play ransomware and the actions being taken by the relevant government agencies.