FBI Alert: Play Ransomware Gang Tops 300 Victims


December 18, 2023

World map

The Federal Bureau of Investigation (FBI) issued a joint advisory (PDF) in partnership with CISA and the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) on the Play ransomware gang asserting the gang has compromised over 300 organizations since emerging in June of 2022.

"Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe," BleepingComputer reports the advisory as stating.

"The FBI, CISA, and ASD’s ACSC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. This includes requiring multifactor authentication, maintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software, and firmware up to date."

Takeaway: Play (aka PlayCrypt) is a RaaS that emerged in the summer of 2022 and is noted for having similarities to Hive and Nokoyawa ransomware strains. Play often compromises unpatched Fortinet SSL VPN vulnerabilities to gain access.  

Play made headlines with high-profile attacks on the City of Oakland, Argentina's Judiciary and German hotel chain H-Hotels, as well as exfiltrating data from Fedpol and the Federal Office for Customs and Border Security (FOCBS).

Play is an evolving RaaS platform known to leverage PowerTool to disable antivirus and other security monitoring solutions as well as SystemBC RAT for persistence.  

Play is known to leverage tools like Cobalt Strike for post-compromise lateral movement and SystemBC RAT executables and legitimate tools Plink and AnyDesk to maintain persistence, as well as Mimikatz and living-off-the-land binaries (LOLBins) techniques.  

Play has been observed leveraging Process Hacker, GMER, IOBit and PowerTool to bypass security solutions as well as PowerShell or command script to disable Windows Defender. Play also abuses AdFind for command-line queries to collect information from a target’s Active Directory.  

Play first introduced the intermittent encryption technique for improved evasion capabilities. Play also developed two custom data exfiltration tools - the Grixba information stealer and a Volume Shadow Copy Service (VSS) Copying Tool - that improve efficiency in exfiltrating sensitive information on the targeted network. Play has been observed leveraging exploits including ProxyNotShell, OWASSRF and a Microsoft Exchange Server RCE.

Play continued to increase attacks throughout 2023 and is one of the most active ransomware groups today. There is little information on how much Play demands for a ransom, but they have made good on their threats to leak the data of those who refuse payment.  

Play ransomware gang has mainly focused attacks in Latin America, especially Brazil, but have attack outside of that region. Play was observed to be running a worldwide campaign targeting managed service providers (MSPs) in August in an attempt to leverage their remote monitoring and management (RMM) tools to infiltrate customer networks.

Notable victims include Rackspace, City of Lowell, Geneva Software, Primoteq, Kenya Bureau of Standards, Cambridge Group, AlgoTech, Hill Internationa, CS Cargo.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.