Play

Play is a ransomware group that has been active since at least 2022 deployingPlaycrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe.Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.^[1]^[2]

ID: G1040

Contributors: Marco Pedrinazzi, @pedrinazziM

Version: 1.0

Created: 24 September 2024

Last Modified: 02 October 2024

Version Permalink

Live Version

Enterprise Layer

download view

Techniques Used

Domain	ID		Name	Use
Enterprise	T1560	.001	Archive Collected Data:Archive via Utility	Play has used WinRAR to compress files prior to exfiltration.^[1]^[2]
Enterprise	T1059	.001	Command and Scripting Interpreter:PowerShell	Play has used Base64-encoded PowerShell scripts to disable Microsoft Defender.^[2]
		.003	Command and Scripting Interpreter:Windows Command Shell	Play has used a batch script to remove indicators of its presence on compromised hosts.^[2]
Enterprise	T1030		Data Transfer Size Limits	Play has split victims' files into chunks for exfiltration.^[1]^[2]
Enterprise	T1587	.001	Develop Capabilities:Malware	Play developed and employPlaycrypt ransomware.^[2]^[1]
Enterprise	T1048		Exfiltration Over Alternative Protocol	Play has used WinSCP to exfiltrate data to actor-controlled accounts.^[1]^[2]
Enterprise	T1190		Exploit Public-Facing Application	Play has exploited known vulnerabilities for initial access including CVE-2018-13379 and CVE-2020-12812 in FortiOS and CVE-2022-41082 and CVE-2022-41040 ("ProxyNotShell") in Microsoft Exchange.^[1]^[2]
Enterprise	T1133		External Remote Services	Play has used Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.^[1]^[2]
Enterprise	T1083		File and Directory Discovery	Play has used the Grixba information stealer to list security files and processes.^[2]
Enterprise	T1657		Financial Theft	Play demands ransom payments from victims to unencrypt filesystems and to not publish sensitive data exfiltrated from victim networks.^[1]
Enterprise	T1562	.001	Impair Defenses:Disable or Modify Tools	Play has used tools including GMER, IOBit, and PowerTool to disable antivirus software.^[1]^[2]
Enterprise	T1070	.001	Indicator Removal:Clear Windows Event Logs	Play has used tools to remove log files on targeted systems.^[1]^[2]
		.004	Indicator Removal:File Deletion	Play has used tools includingWevtutil to remove malicious files from compromised hosts.^[2]
Enterprise	T1105		Ingress Tool Transfer	Play has usedCobalt Strike to download files to compromised machines.^[2]
Enterprise	T1027	.010	Obfuscated Files or Information:Command Obfuscation	Play has used Base64-encoded PowerShell scripts for post exploit activities on compromised hosts.^[2]
Enterprise	T1588	.002	Obtain Capabilities:Tool	Play has used multiple tools for discovery and defense evasion purposes on compromised hosts.^[1]
Enterprise	T1003	.001	OS Credential Dumping:LSASS Memory	Play has usedMimikatz and the Windows Task Manager to dump LSASS process memory.^[2]
Enterprise	T1057		Process Discovery	Play has used the information stealer Grixba to check for a list of security processes.^[2]
Enterprise	T1021	.002	Remote Services:SMB/Windows Admin Shares	Play has usedCobalt Strike to move laterally via SMB.^[2]
Enterprise	T1018		Remote System Discovery	Play has used tools such asAdFind,Nltest, andBloodHound to enumerate shares and hostnames on compromised networks.^[2]
Enterprise	T1518	.001	Software Discovery:Security Software Discovery	Play has used the information-stealing tool Grixba to scan for anti-virus software.^[1]
Enterprise	T1082		System Information Discovery	Play has leveraged tools to enumerate system information.^[2]
Enterprise	T1016		System Network Configuration Discovery	Play has used the information-stealing tool Grixba to enumerate network information.^[1]
Enterprise	T1078		Valid Accounts	Play has used valid VPN accounts to achieve initial access.^[1]
		.002	Domain Accounts	Play has used valid domain accounts for access.^[2]
		.003	Local Accounts	Play has used valid local accounts to gain initial access.^[2]

Software

ID	Name	References	Techniques
S0552	AdFind	^[1]^[2]	Account Discovery:Domain Account,Domain Trust Discovery,Permission Groups Discovery:Domain Groups,Remote System Discovery,System Network Configuration Discovery
S0521	BloodHound	^[2]	Account Discovery:Domain Account,Account Discovery:Local Account,Archive Collected Data,Command and Scripting Interpreter:PowerShell,Domain Trust Discovery,Group Policy Discovery,Native API,Permission Groups Discovery:Domain Groups,Permission Groups Discovery:Local Groups,Remote System Discovery,System Owner/User Discovery
S0154	Cobalt Strike	^[2]	Abuse Elevation Control Mechanism:Sudo and Sudo Caching,Abuse Elevation Control Mechanism:Bypass User Account Control,Access Token Manipulation:Parent PID Spoofing,Access Token Manipulation:Token Impersonation/Theft,Access Token Manipulation:Make and Impersonate Token,Account Discovery:Domain Account,Application Layer Protocol:DNS,Application Layer Protocol:Web Protocols,Application Layer Protocol:File Transfer Protocols,BITS Jobs,Browser Session Hijacking,Command and Scripting Interpreter:JavaScript,Command and Scripting Interpreter:Visual Basic,Command and Scripting Interpreter:PowerShell,Command and Scripting Interpreter:Python,Command and Scripting Interpreter:Windows Command Shell,Create or Modify System Process:Windows Service,Data Encoding:Standard Encoding,Data from Local System,Data Obfuscation:Protocol or Service Impersonation,Data Transfer Size Limits,Deobfuscate/Decode Files or Information,Encrypted Channel:Asymmetric Cryptography,Encrypted Channel:Symmetric Cryptography,Exploitation for Client Execution,Exploitation for Privilege Escalation,File and Directory Discovery,Hide Artifacts:Process Argument Spoofing,Impair Defenses:Disable or Modify Tools,Indicator Removal:Timestomp,Ingress Tool Transfer,Input Capture:Keylogging,Modify Registry,Native API,Network Service Discovery,Network Share Discovery,Non-Application Layer Protocol,Obfuscated Files or Information:Indicator Removal from Tools,Obfuscated Files or Information,Office Application Startup:Office Template Macros,OS Credential Dumping:LSASS Memory,OS Credential Dumping:Security Account Manager,Permission Groups Discovery:Domain Groups,Permission Groups Discovery:Local Groups,Process Discovery,Process Injection:Dynamic-link Library Injection,Process Injection:Process Hollowing,Process Injection,Protocol Tunneling,Proxy:Domain Fronting,Proxy:Internal Proxy,Query Registry,Reflective Code Loading,Remote Services:Remote Desktop Protocol,Remote Services:SSH,Remote Services:Windows Remote Management,Remote Services:SMB/Windows Admin Shares,Remote Services:Distributed Component Object Model,Remote System Discovery,Scheduled Transfer,Screen Capture,Software Discovery,Subvert Trust Controls:Code Signing,System Binary Proxy Execution:Rundll32,System Network Configuration Discovery,System Network Connections Discovery,System Service Discovery,System Services:Service Execution,Use Alternate Authentication Material:Pass the Hash,Valid Accounts:Domain Accounts,Valid Accounts:Local Accounts,Windows Management Instrumentation
S0363	Empire	^[2]	Abuse Elevation Control Mechanism:Bypass User Account Control,Access Token Manipulation:SID-History Injection,Access Token Manipulation,Access Token Manipulation:Create Process with Token,Account Discovery:Domain Account,Account Discovery:Local Account,Adversary-in-the-Middle:LLMNR/NBT-NS Poisoning and SMB Relay,Application Layer Protocol:Web Protocols,Archive Collected Data,Automated Collection,Automated Exfiltration,Boot or Logon Autostart Execution:Security Support Provider,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Boot or Logon Autostart Execution:Shortcut Modification,Browser Information Discovery,Clipboard Data,Command and Scripting Interpreter:PowerShell,Command and Scripting Interpreter:Windows Command Shell,Command and Scripting Interpreter,Create Account:Local Account,Create Account:Domain Account,Create or Modify System Process:Windows Service,Credentials from Password Stores:Keychain,Credentials from Password Stores:Credentials from Web Browsers,Domain or Tenant Policy Modification:Group Policy Modification,Domain Trust Discovery,Email Collection:Local Email Collection,Encrypted Channel:Asymmetric Cryptography,Event Triggered Execution:Accessibility Features,Exfiltration Over C2 Channel,Exfiltration Over Web Service:Exfiltration to Code Repository,Exfiltration Over Web Service:Exfiltration to Cloud Storage,Exploitation for Privilege Escalation,Exploitation of Remote Services,File and Directory Discovery,Group Policy Discovery,Hijack Execution Flow:Path Interception by Unquoted Path,Hijack Execution Flow:Path Interception by Search Order Hijacking,Hijack Execution Flow:Path Interception by PATH Environment Variable,Hijack Execution Flow:Dylib Hijacking,Hijack Execution Flow:DLL,Indicator Removal:Timestomp,Ingress Tool Transfer,Input Capture:Keylogging,Input Capture:Credential API Hooking,Native API,Network Service Discovery,Network Share Discovery,Network Sniffing,Obfuscated Files or Information:Command Obfuscation,OS Credential Dumping:LSASS Memory,Process Discovery,Process Injection,Remote Services:Distributed Component Object Model,Remote Services:SSH,Scheduled Task/Job:Scheduled Task,Screen Capture,Software Discovery:Security Software Discovery,Steal or Forge Kerberos Tickets:Kerberoasting,Steal or Forge Kerberos Tickets:Golden Ticket,Steal or Forge Kerberos Tickets:Silver Ticket,System Information Discovery,System Network Configuration Discovery,System Network Connections Discovery,System Owner/User Discovery,System Services:Service Execution,Trusted Developer Utilities Proxy Execution:MSBuild,Unsecured Credentials:Credentials In Files,Unsecured Credentials:Private Keys,Use Alternate Authentication Material:Pass the Hash,Video Capture,Web Service:Bidirectional Communication,Windows Management Instrumentation
S0002	Mimikatz	^[2]	Access Token Manipulation:SID-History Injection,Account Manipulation,Boot or Logon Autostart Execution:Security Support Provider,Credentials from Password Stores,Credentials from Password Stores:Credentials from Web Browsers,Credentials from Password Stores:Windows Credential Manager,OS Credential Dumping:DCSync,OS Credential Dumping:Security Account Manager,OS Credential Dumping:LSASS Memory,OS Credential Dumping:LSA Secrets,Rogue Domain Controller,Steal or Forge Authentication Certificates,Steal or Forge Kerberos Tickets:Golden Ticket,Steal or Forge Kerberos Tickets:Silver Ticket,Unsecured Credentials:Private Keys,Use Alternate Authentication Material:Pass the Hash,Use Alternate Authentication Material:Pass the Ticket
S0359	Nltest	^[2]	Domain Trust Discovery,Remote System Discovery,System Network Configuration Discovery
S1162	Playcrypt	^[1]^[2]	Data Encrypted for Impact,File and Directory Discovery,Inhibit System Recovery
S0029	PsExec	^[1]	Create Account:Domain Account,Create or Modify System Process:Windows Service,Lateral Tool Transfer,Remote Services:SMB/Windows Admin Shares,System Services:Service Execution
S0645	Wevtutil	^[2]	Data from Local System,Impair Defenses:Disable Windows Event Logging,Indicator Removal:Clear Windows Event Logs

References

CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.

Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.

Movatterモバイル変換

Play

Enterprise Layer

Techniques Used

Software

References