Play Ransomware Group Is Now Offered as a Service to Cybercriminals

According to new data found by a cybersecurity company, Play ransomware is now being offered as-a-service to cybercriminals. Since its discovery in 2022, the ransomware variant, also known as PlayCrypt, has been utilized in numerous attacks on global companies and government institutions. The cybersecurity company has recently identified and prevented PlayCrypt attacks targeting small and mid-sized companies using essentially identical tactics, techniques, and procedures (TTPs). According to the cybersecurity company, the lack of even minor variations between attacks shows that they’re carried out by affiliates who bought the ransomware and are following the instructions from the playbooks provided. One tactic involves threat actors hiding malicious files in the public music folder (C:\…\public\music), while another uses nearly the same password to create high-level accounts. The cybersecurity company observed numerous identical commands in both attacks.

The cybersecurity company stated that Play’s apparent availability as a service is a troubling development since it makes It available to affiliates that may include experienced threat operators, less-advanced “script kiddies,” and different levels of professionals in between. It could result in a significant increase in the number of attacks using the extremely effective, Russia-linked Play ransomware. The Ransomware-as-a-Service (RaaS) ecosystem is maturing and demonstrates how cybercrime has evolved into a full-fledged enterprise. RaaS enables threat actors to carry out attacks using pre-developed ransomware tools and services. According to a recent analysis from a cybersecurity company, the proliferation of RaaS has contributed to a 40% increase in ransomware attacks in the last year.

Play Ransomware

Play ransomware’s name originated from its behavior: it appends the extension “.play” to encrypted files. Additionally, the ransom note includes the single word “PLAY” and the email address of the ransomware group. According to a security vendor, the threat actors behind the Play ransomware have accumulated additional tools and exploited new vulnerabilities in their arsenal over time, including the vulnerabilities ProxyNotShell, OWASSRF, and a Microsoft Exchange Remote Code Execution. Evidence points to a connection between Play and other ransomware families. It, for example, shares some methods and tools with the Hive ransomware, Nokoyawa ransomware, and Quantum ransomware, which is an offshoot of the Conti ransomware group.

One cybersecurity company examined Play ransomware’s attempts to breach companies between June 2022 and May 2023. Play ransomware activity increased significantly during that time, peaking in December 2022 with 170 attack attempts. According to data, the telecommunications sector was the most active, with the healthcare, communication, and media industries being heavily targeted. Additionally, the cybersecurity company’s telemetry revealed that the highest concentration of Play ransomware attack attempts were launched against companies in Germany, accounting for 15.4% of all detections. The United States and Portugal are close behind, at 15.3% and 15%.

Rising Threats of RaaS Ecosystem Companies Face

Ransomware groups that are migrating to being provided as a service raise red flags for companies, according to a reader in cybersecurity at the Institute of Cyber Security for Society at the University of Kent. This person contributes to the Royal United Services Institute’s (RUSI) Ransomware Harms and the Victim Experience project, which investigates the impact of ransomware on victims, economies, and societies. The RaaS model is a significant threat that allows cybercriminals to scale their attacks and it supports cybercriminals in upskilling directly. Threat operators that don’t have the technical expertise or capability to launch a ransomware attack will now have it and can point attacks at any target they want. With more ransomware groups adopting the RaaS model, the threat landscape for companies grows. It could be several groups using a suite of ransomware tools, rather than one group targeting a company.

Detecting RaaS Attacks Easier

Even with the increased threats by the growing RaaS market, ransomware delivered as-a-service can be detected easier because of the methods of deploying the ransomware. IOCs, including malicious IP addresses, domains, TOR addresses, emails, hashes, executables, and others, can be extremely beneficial to analysts, researchers, and law enforcement. They can serve as hints to help piece together what happened and how and provide information on the complexity of the threat operators. When threat actors use RaaS-provided playbooks, they will most likely follow them closely during the initial few attacks. They will make mistakes, and if they’re significant enough, such mistakes can act as breadcrumbs for authorities to follow.

With more ransomware groups offering themselves as a service to other cybercriminals to utilize in their cyberattacks, it’s important for companies to remain vigilant of the current threat landscape and regularly update their networks’ security infrastructure. At SpearTip, our certified engineers are continuously monitoring companies’ data networks at our 24/7/365 Security Operations Center for potential ransomware threats like the Play ransomware. Our IT remediation team works to restore companies’ operations, reclaim their networks by isolating malware, and recover business-critical assets. ShadowSpear Platform, our integrable managed detection and response tool, uses comprehensive insights through unparalleled data normalization and visualizations to expose sophisticated unknown and advanced ransomware threats. Our IR planning engages a three-phase approach, which includes pre-incident, active incident, and post-incident planning processes. In the pre-incident aspect, SpearTip identifies key stakeholders and decision-makers, critical data, and potential access points and then engages in a live test, after which we offer remediation guidance. To benefit companies’ teams during an incident, we assist in developing a communications plan designed to detect and isolate the precise threat with a customized strategy map. The post-incident planning process development includes root cause and investigative audit, improvement analysis, and backup recovery.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.