Double-Extortion Play Ransomware Attacks 300 Organizations Worldwide

December 19, 2023NewsroomRansomware / Threat Intelligence

Playing with Ransomware

The threat actors behind the Play ransomware are estimated to have affected approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the US

“Ransomware actors use a double extortion model, encryption systems after exfiltrating data and affecting many businesses and critical infrastructure organizations in North America, South America , Europe, and Australia,” authorities. SAYS.

Also called Balloonfly and PlayCrypt, Play emerged in 2022, exploiting security flaws in Microsoft Exchange servers (CVE-2022-41040 and CVE-2022-41082) and Fortinet appliances (CVE-2018-13379 and CVE- 20120-12ach enterprise) and deploy file-encrypting malware.

It is worth pointing out that ransomware attacks are increasingly exploiting vulnerabilities rather than using phishing emails as initial infection vectors, jumping from almost zero in the second half of 2022 to almost a third in the first half of 2023, respectively data from Corvus.


Cook AI-Powered Threats with Zero Trust – Webinar for Security Professionals

Traditional security measures just won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.

Join now

The cybersecurity company Adlumin, in a report published last month, revealed that it is offered to other threat actors “as a service,” completing its transformation into a ransomware-as-a-service. (RaaS) operation.

Ransomware attacks orchestrated by the group are characterized by the use of public and specialized tools such as AdFind to run Active Directory queries, Grixba to quantify network information, GMER, IOBit, and PowerTool for disabling antivirus software, and Grixba for collecting information about backup software and remote administration tools installed on a machine.

Threat actors have also been observed performing lateral movement and data exfiltration and encryption measures, banking on Cobalt Strike, SystemBC, and Mimikatz for post-exploitation.

“The Play ransomware group uses a double extortion model, encrypting systems after exfiltrating data,” the agencies said. “The ransom notes did not include an initial ransom demand or payment instructions, instead, victims were instructed to contact the threat actors via email.”

According to statistics compiled by MalwarebytesPlay is said to have claimed nearly 40 victims in November 2023 alone, but is increasingly going after its partners. LockBit and Black cat (aka ALPHV and Noberus).

The alert comes days after US government agencies released an updated bulletin about the Karakurt group, which is known to eschew encryption-based attacks in favor of pure extortion after obtaining an initial access to networks by purchasing stolen login credentials, intrusion brokers (aka initial access brokers. ), phishing, and known security flaws.

“Karakurt victims did not report encryption of compromised machines or files; instead, Karakurt actors claimed to steal the data and threatened to auction it off or release it publicly unless they received a payment for the ransom demanded, “the government SAYS.


Improvements also come in between assumptions that BlackCat ransomware could be a target of a law enforcement operation after its dark web leak portals were offline for five days. However, the e-crime collective put the loss down to a hardware failure.

Additionally, another new ransomware group known as NoEscape is said to exist took an exit scameffectively “stealing ransom payments and shutting down the group’s web panels and data leak sites,” prompting other gangs like LockBit to recruit their former affiliates.

That the ransomware landscape is constantly evolving and shifting, even if it is due to external pressure from law enforcement, is not surprising at all. This is further evidence of collaboration between BianLian, White Rabbit, and Mario ransomware gangs in a joint extortion campaign targeting publicly traded financial services companies.

“These cooperative ransom campaigns are rare, but are likely to become more common due to the involvement of initial access brokers (IABs) who collaborate with many groups on the dark web,” Resecurity SAYS in a report published last week.

“Another factor that may lead to greater collaboration is law enforcement interventions that create cybercriminal diaspora networks. Disaffected participants in these threat actor networks may be more willing to cooperate of opponents.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment