Play ransomware being sold as-a-service

Play ransomware is being sold as-a-service, new evidence uncovered by cyber security company Adlumin suggests. The ransomware variant (also known as PlayCrypt) has been used in significant attacks on companies and government organizations worldwide since it was discovered in 2022. In recent months, Adlumin has identified and stopped PlayCrypt attacks with nearly identical tactics, techniques and procedures (TTPs) targeting small and mid-sized organizations. The lack of even slight variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware and are following step-by-step instructions from playbooks delivered with it, Adlumin said.

One of the tactics involves threat actors using the public music folder (C:\…\public\music) to hide malicious files, with another using almost the same password to create high privilege accounts. In both attacks, many of the same commands were observed, according to Adlumin.

Play’s apparent obtainability as-a-service is a concerning development, making it available to affiliates that might include sophisticated hackers, less-sophisticated “script kiddies” and various levels of expertise in between, Adlumin added. This could dramatically increase the volume of attacks using the highly successful, Russia-linked Play ransomware.

The Ransomware-as-a-Service (RaaS) ecosystem is continuing to mature and reflects how cyber crime has become a fully-fledged economy. RaaS allows threat actors to use already-developed ransomware tools and services to carry out attacks. The growth of RaaS has contributed to a 40 percent rise in ransomware attacks in the last year, according to a recent report from cyber security firm Zscaler.

What is Play ransomware?

Play ransomware derives its name from its behavior: it adds the extension “.play” after encrypting files. What’s more, its ransom note contains the single word “PLAY” along with the ransomware group’s email address. Over time, the threat actors running Play ransomware have added more tools and abused new vulnerabilities in their growing arsenal, including the vulnerabilities ProxyNotShell, OWASSRF and a Microsoft Exchange Server Remote Code Execution, according to security vendor Trend Micro.

Evidence suggests a possible link between Play and various ransomware families. For example, it shares some tactics and tools with Hive and Nokoyawa ransomware, along with Quantum ransomware, an offshoot of the Conti ransomware group.

Earlier this year, Trend Micro analyzed Play ransomware’s attempts to compromise organizations between June 2022 and May 2023. During that period, Play ransomware activity climbed steadily, peaking in December 2022 with 170 attack attempts, according to the vendor. Data showed that Play ransomware appeared most active in the telecommunications sector, with the healthcare and communication and media sectors also highly targeted.

Trend Micro’s telemetry also showed that the heaviest concentration of Play ransomware attack attempts was made against organizations located in Germany, which composed 15.4% of the total detections. This is followed closely by the United States and Portugal, at 15.3% and 15%, respectively.

RaaS ecosystem raises threats faced by organizations

Any ransomware group transitioning to being sold as-a-service should raise alarm bells for organizations, Dr Jason Nurse, reader in cyber security, Institute of Cyber Security for Society, University of Kent, tells Cyber Security Hub. Nurse is also a contributor to the Royal United Services Institute’s (RUSI) Ransomware Harms and the Victim Experience project, which examines the impact of ransomware on victims, economies and societies.

“The RaaS model poses a significant threat because it allows criminals to scale their attacks and it directly supports criminals in upskilling – that is, attackers who did not have the technical expertise or capability to launch a ransomware attack now would have it.” They can also point attacks at any target they desire, he adds. “As more ransomware groups assume the RaaS model, it increases the threat landscape for organizations. No longer is it one group targeting the business, it could be many more groups using a suite of ransomware tools.”

RaaS attacks “easier to detect”

Despite the increased threats posed by the growing RaaS market, ransomware delivered as-a-service can be easier to identify because of the common methods used to deploy it, Adlumin said. “IOCs, such as malicious IP addresses, domains, TOR addresses, emails, hashes, executables and others discovered from an attack can be very useful to analysts, researchers and law enforcement,” the firm wrote. They serve as clues to help put together what transpired during an incident and how, along with offering some insight about the level of sophistication of the attackers, it added.

“When threat actors follow RaaS-provided playbooks, they will likely adhere to them closely on the first few attacks. They’ll make mistakes, and if those mistakes are big enough, they could serve as breadcrumbs for the authorities to follow.”

Get the latest insights on the cyber threat landscape

Download our 'Mid-Year State of Cyber Security Report' to learn about the current challenges that cyber security practitioners in Europe, the Middle East, Africa, and North America are facing, and discover where they are focusing their investment decisions in 2023 and beyond.

Read More