As new reports confirm that the ransomware cyberattack threat is far from a thing of the past, and even the likes of LockBit which had been thought to have disbanded following law enforcement disruption has now confirmed a date for a return to action is just weeks away. Now, a new analysis has revealed the danger posed by ongoing Play ransomware attacks. Here’s what you need to know.
The Play Ransomware Attack Threat
Analysts from AhnLab have published an in-depth look at the Play ransomware threat, first detected in 2022 and responsible for more than 300 successful attacks worldwide from then on. Play ransomware, which the researchers warned remains actively in use, is so-called due to the use of a “.PLAY” extension given to the files it encrypts.
Linked to Andariel, a North Korean state-sponsored attack group that is part of the Democratic People’s Republic of Korea’s “Reconnaissance General Bureau,” Play would appear to be an integral part of its cyber arsenal.
The methods by which these ransomware actors gain initial access to target networks include, the researchers said, “abusing valid accounts or attacking vulnerabilities in exposed services.” Microsoft ProxyNotShell Exchange Server vulnerabilities (CVE-2022-41040, CVE-2022-41082) and those in Fortinet’s FortiOS (CVE-2020-12812, CVE-2018-13379) are known to have been used. So, ensuring that these are properly patched is vital.
Play attackers, the AhnLab report confirmed, gather information on active systems and port numbers of running services through port scanning methods. Active Directory information is then collected, and “attack paths for privilege escalation” identified using specialist tools. By using this privilege escalation to provide admin access, the attackers can then steal credential information to be used for lateral movement and ultimate domain environment control.
FBI-Recommended Ransomware Attack Mitigation—Play Included
It’s not only state-sponsored Play attacks that are an ongoing concern to organizations everywhere, ransomware-as-a-service and double-extortion ransom tactics of all criminal gangs need to be considered. The Federal Bureau Of Investigation has warned users to be alert to the risk and recommended mitigation methods, including:
- Install updates for operating systems, software and firmware as soon as they are released.
- Require phishing-resistant, non SMS-based multi-factor authentication.
- Educate users to both recognize and report phishing attempts.
Play ransomware manages to evade detection using legitimate tools such as Process Hacker to disable security products where possible. “Many of the tools used in the process are not malware strains,” AhnLab researchers said, “but those that can also be used for legitimate purposes.” All making detection harder. Finally, a Play ransomware attack will encrypt an organization’s systems but also, as is the norm these days, exfiltrate information first so as to leverage extortion demands via leak sites.
