Play ransomware

Play ransomware has affected around 300 organizations

Play ransomware group is estimated to have affected approximately 300 organizations worldwide since October 2023.

Also known as Balloonfly and PlayCrypt, the Play ransomware is a dangerous ransomware group that exploits vulnerabilities in Microsoft Exchange servers and Fortinet devices. It emerged in 2022 and employs a dual extortion model, encrypting systems after data restoration. Some of the vulnerable applications include CVE-2022-41040 and CVE-2022-41082 for Exchange servers, as well as CVE-2018-13379 and CVE-28120-1 for Fortinet devices.

The hacking group has impacted businesses globally, offering its services as a “ransom service.” Their attacks are characterized by the use of both public and personalized tools, such as AdFind, GMER, IOBit, PowerTool, and Grixba. Additionally, they utilize lateral movement and encryption tools like Cobalt Strike, SystemBC, and Mimikatz.

Their approach differs, as they do not initially include ransom demands in their notes. Instead, they guide victims to communicate with them via email. Recent statistics indicate that Play has around 40 victims as of November 2023, trailing behind competitors like LockBit and BlackCat.

The report highlights a continuously growing framework of ransomware attacks exploiting vulnerabilities and underscores the need to strengthen cybersecurity practices.

In the ransomware landscape, developments are exciting. Perhaps BlackCat was a target of a law enforcement operation, but its disruption resulted from a hardware accident. The emerging group NoEscape steals ransom payments and attacks other gangs. The ransomware landscape is evolving, with collaborative campaigns like those of the BianLian, White Rabbit, and Mario gangs against financial service companies. Law enforcement interventions shape the field, with increased collaboration among these groups.