The ransomware strain known as play Now offered by other threat actors “as a service,” new evidence obtained by Adlumin reveals.
“The unusual lack of even slight differences between the attacks suggests that they were carried out by affiliates who purchased ransomware-as-a-service (RaaS) and followed a series of instructions from the playbook provided with it,” the The cybersecurity company said in a report shared on The Hacker News.
The findings are based on various Play ransomware attacks tracked by Adlumin that spanned different sectors incorporating almost identical tactics and in the same sequence.
This includes using the public music folder (C:\…\public\music) to hide the malicious file, the same password to create high-privileged accounts, and the same attack, and similar commands.
playalso called Balloonfly and PlayCrypt, first revealed in June 2022, used security flaws in Microsoft Exchange Server – ie, ProxyNotShell and OWASSRF – to infiltrate networks and drop remote administration tools such as AnyDesk and finally drop the ransomware.
Besides the use of conventional data collection tools like Grixba for double extortion, a notable aspect that distinguishes Play from other ransomware groups is the fact that the operators in charge of developing the malware also made attacks.
The new development, therefore, marks a transition and completes its transformation into a RaaS operation, making it a useful option for cybercriminals.
“When RaaS operators advertise ransomware kits with everything a hacker needs, including documentation, forums, technical support, and ransom negotiation support, script kids will be tempted to try their luck and use their skills,” said Adlumin.
“And since there are probably more script kiddies than “real hackers” today, businesses and authorities need to be vigilant and prepare for increasing incidents.”