Play
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1190 | 利用公开应用程序漏洞 |
Play has exploited known vulnerabilities for initial access including CVE-2018-13379 and CVE-2020-12812 in FortiOS and CVE-2022-41082 and CVE-2022-41040 ("ProxyNotShell") in Microsoft Exchange.[1][2] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Play has used Base64-encoded PowerShell scripts to disable Microsoft Defender.[2] |
| .003 | 命令与脚本解释器: Windows Command Shell |
Play has used a batch script to remove indicators of its presence on compromised hosts.[2] |
||
| Enterprise | T1133 | 外部远程服务 |
Play has used Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.[1][2] |
|
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Play has used tools including GMER, IOBit, and PowerTool to disable antivirus software.[1][2] |
| Enterprise | T1587 | .001 | 开发能力: Malware | |
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
Play has used WinRAR to compress files prior to exfiltration.[1][2] |
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
Play has used Mimikatz and the Windows Task Manager to dump LSASS process memory.[2] |
| Enterprise | T1030 | 数据传输大小限制 |
Play has split victims' files into chunks for exfiltration.[1][2] |
|
| Enterprise | T1083 | 文件和目录发现 |
Play has used the Grixba information stealer to list security files and processes.[2] |
|
| Enterprise | T1048 | 替代协议渗出 |
Play has used WinSCP to exfiltrate data to actor-controlled accounts.[1][2] |
|
| Enterprise | T1078 | 有效账户 |
Play has used valid VPN accounts to achieve initial access.[1] |
|
| .002 | Domain Accounts | |||
| .003 | Local Accounts |
Play has used valid local accounts to gain initial access.[2] |
||
| Enterprise | T1027 | .010 | 混淆文件或信息: Command Obfuscation |
Play has used Base64-encoded PowerShell scripts for post exploit activities on compromised hosts.[2] |
| Enterprise | T1070 | .001 | 移除指标: Clear Windows Event Logs |
Play has used tools to remove log files on targeted systems.[1][2] |
| .004 | 移除指标: File Deletion |
Play has used tools including Wevtutil to remove malicious files from compromised hosts.[2] |
||
| Enterprise | T1082 | 系统信息发现 |
Play has leveraged tools to enumerate system information.[2] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Play has used the information-stealing tool Grixba to enumerate network information.[1] |
|
| Enterprise | T1588 | .002 | 获取能力: Tool |
Play has used multiple tools for discovery and defense evasion purposes on compromised hosts.[1] |
| Enterprise | T1657 | 财务窃取 |
Play demands ransom payments from victims to unencrypt filesystems and to not publish sensitive data exfiltrated from victim networks.[1] |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Play has used the information-stealing tool Grixba to scan for anti-virus software.[1] |
| Enterprise | T1105 | 输入工具传输 |
Play has used Cobalt Strike to download files to compromised machines.[2] |
|
| Enterprise | T1057 | 进程发现 |
Play has used the information stealer Grixba to check for a list of security processes.[2] |
|
| Enterprise | T1021 | .002 | 远程服务: SMB/Windows Admin Shares |
Play has used Cobalt Strike to move laterally via SMB.[2] |
| Enterprise | T1018 | 远程系统发现 |
Play has used tools such as AdFind, Nltest, and BloodHound to enumerate shares and hostnames on compromised networks.[2] |
|