In recent years, the world has witnessed an alarming rise in cyberattacks, with ransomware being one of the most pervasive and damaging forms of malicious activity. The Play ransomware gang has emerged as a highly disruptive and notorious group among the many ransomware gangs. This article aims to provide an informative and professional profile of the Play ransomware gang, shedding light on their operations, tactics, and notable attacks.
The City of Oakland Attack
The Play ransomware gang made headlines with their cyberattack on the City of Oakland, California. Beginning in mid-February 2023, the attack targeted the city’s IT systems, causing significant disruptions. While emergency services remained operational, various other departments were severely impacted, including business taxation and parking citation services. The gang claimed responsibility for the attack and demanded a ransom, threatening to expose sensitive data stolen from the city.
Attack Methodologies
Play ransomware employs several sophisticated techniques to infiltrate and compromise targeted organizations. They exploit known vulnerabilities, such as exposed RDP servers and FortiOS vulnerabilities (CVE-2018-13379 and CVE-2020-12812), to gain initial access. Once inside the network, they employ “lolbins” binaries and distribute executables via Group Policy Objects. Notably, the gang also engages in double extortion, exfiltrating sensitive data and threatening to release it if their ransom demands are not met.
Unique Technique: Intermittent Encryption
A distinctive characteristic of the Play ransomware gang is their use of intermittent encryption. This novel technique involves encrypting files in smaller, intermittent chunks, evading detection by security systems that rely on static analysis. By encrypting only portions of a file, often distinguished by null characters, Play ransomware can remain undetected for longer periods, exacerbating the damage caused to targeted organizations.
Notable Attacks
Beyond the City of Oakland, the Play ransomware gang has targeted various organizations worldwide. One significant incident occurred in Switzerland, where they hacked Xplain, an IT firm that supported numerous federal and cantonal government departments. They also targeted the major Spanish bank Globalcaja, compromising client and employee documents. Additionally, the gang claimed to have stolen 600GB of data from communications firm Poly (Polycom).
Play Ransomware Tools
The Play ransomware gang has developed custom tools to enhance their attacks’ effectiveness. Grixba, a network-scanning and information-stealing tool, enables them to enumerate users and computers within a compromised network. The VSS Copying Tool allows the gang to interact with the Volume Shadow Copy Service, even copying files in use by applications. These tools provide them with critical information and increase the efficiency of their malicious activities.
Security Recommendations
Organizations should implement robust security measures to combat the evolving threat posed by ransomware groups like Play. These include multifactor authentication (MFA), least privilege principles, network segmentation, attack surface management (ASM), secure domain controllers (DC), regular patching and updates, and maintaining encrypted offline backups of critical data. Additionally, employing threat intelligence platforms and monitoring the dark web for emerging threats can enhance an organization’s security posture.
The Play ransomware gang has proven to be a persistent and highly disruptive threat to organizations worldwide. Their sophisticated attack methods, including intermittent encryption and double extortion, showcase their determination to exploit vulnerabilities for financial gain. Organizations must remain vigilant, implementing robust security measures and proactive threat mitigation strategies to protect themselves against the increasing menace of ransomware attacks.