Play Ransomware was first seen in June 2022 and Latin America, especially Brazil, is the Play hacker group’s primary target. The attackers are believed to be from Russia as its encryption techniques are similar to the Russian ransomware groups Hive and Nokoyawa.
After entering the network through a vulnerability in the system, Play ransomware will encrypt your files and then leave a ransom note. The note states that your data is locked until the ransom payment.
Play is a type of ransomware that uses Cobalt Strike for post-compromise and SystemBC RAT for persistence. It encrypts the files, changes the files’ extension, and leaves a ransom note.
The group exploits ProxyNotShell vulnerabilities in Microsoft Exchange to infect networks and steal businesses and organizations’ data.
Play ransomware uses double extortion tactics as it not only encrypts the data but also copies it and threatens to leak the files if the ransom is not paid.
In August 2022 Play hacker group attacked Argentina’s Judiciary of Cordoba making them shut down their IT system. As a result, the Judiciary was forced to use paper and pen to submit official documents. Experts believe that it happened via phishing emails.
Confirmed Name
Threat Type
Encrypted Files Extension
Ransom Demanding Message
Is There a Free Decryptor Available?
Detection Names
Symptoms
Distribution methods
Consequences
Prevention
Play ransomware domains
As with many ransomware attacks, phishing is a primary method for Play ransomware to infect a network. If there’s any vulnerability in your security system, your business is open to a cyberattack.
The most common ways Play ransomware infect computers and networks are:
Spam email campaigns. This a phishing email attack where hackers use social engineering to deceive victims into clicking malicious links or attachments. After that, the exploit kit is downloaded into the machine and the threat actors can trigger ransomware at any moment. These emails can be targeted when hackers intend to access a specific business or can be non-targeted phishing when they send a mass malware spam campaign.
Unofficial software download sources and cracks. Pirate software and crack usually are malicious programs. Also, this software will not have the updates necessary to improve the program and prevent vulnerabilities that hackers can exploit.
Known software vulnerabilities. Hackers use software with known vulnerabilities to attack businesses as well. That’s why it’s very important to also keep every software updated and protect remote administration tools like RDP.
Every file will have an extension .PLAY after the encryption. The ransomware uses the generic RSA-AES hybrid cryptosystem to encrypt files
Play ransom note is really simple, which is one of the main differences from other ransomware. Most of the time, the note is simply the word “PLAY” followed by the email address that victims must contact the attackers.
Some variants may add the link for the Tor website and the email address.
Example of the content for Play ransom note:
PLAY
news portal, tor network links:
mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion
k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion
derdiarikucisv@gmx.de
Play ransomware has an intermittent encryption system. It works following 10 steps that not only encrypt the data but also steal it and threaten to leak it.
Play ransomware usually gains access to networks and systems through old legit credentials that have been reused across multiple platforms or that were leaked previously.
Exposed Remote Desktop Protocols (RDP) is also a gateway for Play ransomware attacks.
The Execution step involves the usage of scheduled tasks and PsExec. The hackers control many user machines and also Windows legit tools to execute processes on other systems during this phase and then spread the ransomware across the network.
The hackers continue to use the accounts as a persistence mechanism, enabling RDP access.
In this phase, hackers use Mimikatz to extract high-privileged credentials from memory.
After that, the ransomware will disable antiviruses and anti-malware software. Then they use Windows built-in tool wevtutil to cover their tracks and disable Windows Defender.
In this step, Play will dump credentials on the target host and gain domain administrator access.
During the discovery step, hackers will collect more information about the environment.
For lateral movement, Play uses different tools, such as:
For exfiltration, Play’s approach is to split the data into chunks. They use WinRAR to compress the data and transfer using .RAR file format.
The final step is to encrypt the data and add the .PLAY file extension to the files and the placement of a ransom note.
We already mentioned several ways you can prevent Play ransomware attacks. Here is a complete list of what to do to keep your data and business safe.
Unused accounts are vulnerabilities that hackers can exploit. This is the primary way that Play ransomware uses to access RDP and send phishing emails.
Deactivate and close unused accounts as well as those used by past employees.
Always use strong and unique passwords for each account and only share them with necessary people. This can guarantee that only authorized personnel will access each company account.
You can use two-factor authentication or biometric unlock to ensure that only authorized people have access to folders, devices, or accounts.
Keep at least three copies of your data, having at least one stored offline and off-site. So, even if you’re hit by a disaster, being natural or human-made (like ransomware), your data is always safe.
Regular backups can prevent downtimes and ensure you never lose any sensitive data.
You can either have an IT team to guarantee your business security or hire a cybersecurity service.
Either way, you must look for vulnerabilities in the network, such as back doors, exploit kits, and youtube software.
Data recovery plans are documents that work as guides on what to do in case of a disaster. This can help you restore your business faster and more securely.
See how to create a data recovery plan with our in-depth guide.
The first step to recover from the Play attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).
To report a ransomware attack you must gather every information you can about it, including:
You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. Is using the data on your infected system so that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
After isolating the device and contacting authorities, you must follow the next steps to retrieve your data:
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
You can check which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name, such as hajd ransomware), or it will be on the ransom note. With this information, you can look for a public decryption key. However, Play doesn’t have it yet.
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.
Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t have a recent backup, ransomware data recovery services can help you decrypt and recover the files.
SalvageData experts can safely restore your files and guarantee Play ransomware does not attack your network again.
Contact our experts 24/7 for emergency recovery service or find a recovery center near you.
In a recent data recovery service case, the SalvageData recovery team achieved a remarkable feat…
A corrupted database on PS4 occurs when the system's organized data collection becomes damaged or…
Encountering a black or blank screen on your Windows computer can be frustrating and alarming.…
LockBit ransomware has emerged as one of the most dangerous and prolific cyber threats in…
Recovery mode is a crucial feature for troubleshooting and restoring an iPad when it encounters…
Whether you’re a professional juggling important work documents or an individual cherishing irreplaceable memories, safeguarding…