Between June 2022 and October 2023 [5] [6], the Play ransomware group [1] [2] [3] [4] [5], also known as Balloonfly and PlayCrypt [1], targeted approximately 300 organizations worldwide [5]. Their attacks have impacted businesses [5], critical infrastructure entities [1] [3] [4] [5] [6], and even the city of Oakland, California. This group employs a double-extortion model and exploits security flaws in Microsoft Exchange servers and Fortinet appliances to breach enterprises. They have also evolved into a ransomware-as-a-service (RaaS) operation [1], offering their services to other threat actors.
Description
The Play ransomware group [1] [2] [3] [4] [5], also known as Balloonfly and PlayCrypt [1], has been active between June 2022 and October 2023. They have targeted approximately 300 organizations worldwide [5], including critical infrastructure entities in North America [1] [5], South America [1] [3] [4] [5] [6], and Europe [3] [4] [5]. Their attacks have had significant impacts on businesses, critical infrastructure organizations [1] [3] [4] [5] [6], and even the city of Oakland, California. Managed service providers in the US have also been affected.
Unlike traditional ransomware attacks that rely on phishing emails, Play exploits vulnerabilities to gain initial access. They employ a double-extortion model [1], exfiltrating data before encrypting systems. The group specifically targets security flaws in Microsoft Exchange servers and Fortinet appliances to breach enterprises [1].
Furthermore, Play has evolved into a ransomware-as-a-service (RaaS) operation [1], offering their services to other threat actors. They utilize various tools for their attacks [1], including AdFind [1], GMER [1], IOBit [1], PowerTool [1], Grixba [1], Cobalt Strike [1], SystemBC [1], and Mimikatz [1].
Victims of Play ransomware are instructed to contact the threat actors via email instead of receiving an initial ransom demand or payment instructions [1]. This indicates a change in their approach compared to traditional ransomware attacks.
In Australia [1] [2] [6], the first incident involving the Play ransomware group was observed in April 2023, with the most recent one occurring in November [6]. The alert about Play comes after US government agencies released an updated bulletin about the Karakurt group [1], which focuses on pure extortion rather than encryption-based attacks [1].
Additionally, the dark web leak portals of the BlackCat ransomware group went offline for five days, possibly due to a law enforcement operation. There are also allegations that the NoEscape ransomware group pulled an exit scam.
Conclusion
The Play ransomware group’s attacks have had significant impacts on businesses, critical infrastructure organizations [1] [3] [4] [5] [6], and even a city. Their exploitation of security flaws in Microsoft Exchange servers and Fortinet appliances highlights the importance of robust cybersecurity measures.
The evolution of Play into a ransomware-as-a-service (RaaS) operation and their collaboration with other threat actors demonstrate the increasing complexity and collaboration within the ransomware landscape.
To effectively secure data, traditional security measures are no longer sufficient [1]. The constant evolution of ransomware calls for the implementation of Zero Trust Security and other advanced cybersecurity measures. It is crucial for organizations to stay vigilant, update their security protocols, and be prepared for future ransomware threats.
References
[1] https://thehackernews.com/2023/12/double-extortion-play-ransomware.html
[2] https://duo.com/decipher/u-s-australian-government-agencies-warn-of-play-ransomware-attacks
[3] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
[4] https://cybersecuritynews.com/play-ransomware-infected-300-organizations/
[5] https://cyber.vumetric.com/security-news/2023/12/18/fbi-play-ransomware-breached-300-victims-including-critical-orgs/
[6] https://www.scmagazine.com/news/play-ransomware-gang-tied-to-300-attacks-in-17-months