The Play ransomware group, also known as PlayCrypt, has emerged as a significant threat, having executed over 300 successful attacks since June 2022, according to cybersecurity authorities in the United States and Australia.
This group, known for its devastating tactics, has targeted major American cities such as Oakland and Lowell, Massachusetts, along with Dallas County, causing extensive disruptions and data breaches that took days to rectify. Additionally, they have struck Switzerland, prompting government alerts due to data theft from an IT provider.
How Play Ransomware Operates?
Operating discreetly, Play ransomware perpetrators prefer direct email contact for negotiations, omitting ransom demands from their initial communications. Their "double-extortion" approach involves encrypting systems after stealing data, utilising stolen credentials and exploiting vulnerabilities in popular software like FortiOS and Microsoft tools.
To add pressure, they threaten to publish exfiltrated data on the Tor network if victims refuse ransom payments, typically made in cryptocurrency. The group's tactics include adding a ".play" extension to filenames and using a variety of tools to disable the anti-virus software and exfiltrate data to their control.
Impact of Play Ransomware Attacks
Initially targeting Latin American government entities, Play has expanded its reach globally, garnering attention for high-profile attacks on cities like Oakland and organisations like Stanley Steemer and central Virginia's transit system. These attacks have resulted in the exposure of sensitive data, including government records and personal information of citizens and officials, totaling hundreds of gigabytes released on their leak site.
Protecting yourself from Play Ransomware
It is crucial to take a multi-layered approach to mitigate the risk of any ransomware attack, including Play ransomware, which includes the following steps:
- Implement email security: To help detect and prevent spear phishing emails from reaching employees by implementing email security measures, such as anti-spam filters and anti-phishing solutions.
- Update and patch systems: Organisations should regularly update and patch their systems to fix any known vulnerabilities and prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services.
- Use multi-factor authentication: Enabling multi-factor authentication (MFA) adds a layer of security, preventing unauthorised access to accounts and reducing the risk of credential theft.
- Limit user privileges: Restrict user privileges to only what is necessary for their job functions. This helps prevent the spread of ransomware across your network if one user account is compromised.
- Use network segmentation: Segment your network to limit the spread of ransomware in the event of a breach. This can help contain the damage and prevent it from affecting your entire organisation.
- Educate employees: Conduct Cybersecurity Awareness Training for employees by experts. Train your employees to recognise and report phishing emails and other suspicious activities.
- Have a response plan: Develop and regularly update a response plan outlining the steps to take in the event of a ransomware attack. This should include procedures for isolating infected systems, contacting authorities, and restoring data from backups.
Is detecting malicious activity a challenge for your business?
Play ransomware is a financially motivated cybercriminal group that uses a range of tactics, techniques, and procedures to attack organisations.
Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR), allows you to catch what the other products in its class missed by detecting all known malware and C2 callouts.
Improve your organisation's security posture and minimise risk to your organisation with our Network Detection and Response program alongside our Endpoint Detection and Response.
Red Piranha is a world leader when it comes to CTI. We are a member of the highly regarded Cyber Threat Alliance, and this appointment is a testament to our increased technical capabilities in this area and our commitment to quality with CTI. As one of its top contributors, we offer contextualised CTI feeds to its members and the wider security industry.
Sign up for our Weekly Threat Intelligence Report to stay updated.