The Play ransomware group first emerged in late 2019 and is known for targeting large enterprises and government organizations. According to CISA, Play operates as a closed ransomware-as-a-service group to “guarantee the secrecy of deals.” Their campaigns involve gaining initial access through exposed RDP, phishing emails, or exploiting vulnerabilities. Once inside a network, they move laterally and deploy ransomware that encrypts files and demands large ransom payments in Bitcoin to decrypt them.
Play has quickly risen to become one of the most prolific ransomware groups. They have claimed responsibility for high-profile attacks against the City of Hartford, Connecticut, the City of Oakland, California, and several major technology companies. While the full scope of their activities is unknown, researchers estimate Play may be behind attacks impacting thousands of victims globally. Their technical sophistication, negotiation tactics, and operational security have allowed them to extort millions in ransom payments.
Notable Attacks
Play is known for targeting large organizations in the manufacturing, technology, healthcare, education, insurance, and government sectors. Some of their major ransomware attacks include:
In April 2022, Play hit over 120 schools and 28 school districts across the state of Illinois, leading to widespread disruptions and closures. The ransomware encrypted files and servers, knocked out WiFi, and disabled applications like grading systems.
In August 2022, Play attacked a US hospital network in the Midwest, forcing them to divert ambulances and rebuild their systems. The disruptions led to risks in patient care and safety.
In October 2022, Play breached the Houston Housing Authority network, taking down email, phones, security systems, and tenant services for over 55,000 residents. Play demanded $3 million in Bitcoin.
In December 2022, Play hit major US cities like Memphis and Atlanta with ransomware, taking down government services, websites, payment systems and more. The cities refused to pay the multi-million dollar ransoms.
Leadership & Members
The Play ransomware group operates as a closed group in order to maintain secrecy and anonymity, according to a statement on their dark web leak site (Joint Cybersecurity Advisory: #StopRansomware). Very little is publicly known about the actual members and leaders of Play. Some analysts believe the group may have connections to Android ransomware, as Play ransomware apps have been found targeting Android devices (Agencies alert of threat by new Play ransomware group). However, definitive information tying Play to other known cybercriminal groups has not emerged.
While individual members remain anonymous, Play has communicated as a group through postings on their dark web leak site. Based on the sophisticated nature of their ransomware code and attacks, analysts assess that Play likely has experienced ransomware developers as part of their membership. Their ability to exploit multiple zero day vulnerabilities indicates the group has access to advanced hacking capabilities (Play Ransomware Using MSPs and N-Days to Attack).
Overall, the secrecy maintained by the Play leadership means their identities and organizational structure are largely unknown at this time. The group has intentionally cloaked itself in anonymity to avoid scrutiny from law enforcement agencies.
Technical Sophistication
Play ransomware first emerged in 2021 and exhibits a high degree of technical sophistication according to cybersecurity researchers. The malware is written in Golang which enables cross-platform attacks across Windows, Linux, and macOS devices (https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play).
Play utilizes robust encryption algorithms, such as ChaCha20 and RSA-2048, to encrypt files which makes decryption without the key extremely difficult. It is also capable of enumerating network shares to encrypt entire networks (https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play).
Some of Play’s innovations include checking for security software and virtual environments to evade detection, using legitimate remote access tools like TeamViewer for lateral movement, and deleting volume shadow copies to prevent recovery (https://explore.avertium.com/resource/an-in-depth-look-at-play-ransomware).
Overall, Play demonstrates an advanced understanding of system internals, data encryption, and operational security which allows it to effectively extort victims.
Negotiation Tactics
Play frequently uses a dedicated website to negotiate and collect ransom payments from victims. Ransoms usually start at a notable high amount and gradually decrease over several weeks of negotiations. Their website includes threats to publish stolen data if payment is not received with set deadlines. Initially, the ransom demand is typically around $7 million to $12 million worth of cryptocurrency. They will tailor the amount based on the victim organization’s perceived ability to pay. However, as negotiations continue, the ransom price will decrease to as low as $50,000 or $100,000 of Bitcoin or Monero. Play displays a countdown timer of when they will leak or auction off stolen data if payment is not made.
Play members also frequently contact victims through call centers to negotiate payments, reportedly sounding professional and speaking fluent English. These call agents apply significant pressure on victims to pay the ransom on time (Nuspire). The group threatened one victim that if payment was not made in 48 hours, the ransom would increase from $5 million to $10 million. As part of their negotiation tactics, Play also shares samples of stolen data to prove they have compromised sensitive information and holds auctions on their dark web site to sell data to the highest bidder if the deadline passes. These auctions have reportedly sold victim data for hundreds of thousands of dollars.
Victim Impact
Play ransomware attacks have caused significant damage and disruption to victims. According to the FBI, Play has impacted over 300 organizations globally since June 2022, with victims spanning multiple sectors including technology, telecommunications, manufacturing, healthcare, and critical infrastructure like airports and emergency services (FBI: Play ransomware breached 300 victims, including critical orgs). Victims report having terabytes of data stolen and encrypted by Play, crippling day-to-day operations.
Recovery is extremely challenging for Play victims. Restoring systems from backups can take weeks or months, and organizations often have to rebuild networks from scratch. Many victims pay the ransom demand, which can be millions of dollars, in order to regain access to their data. However, paying does not guarantee a full decryption key or prevent stolen data from being leaked. Victims also face high costs for incident response, legal fees, IT upgrades, and lost business due to outages.
In addition to financial impacts, Play attacks have jeopardized sensitive data and put individuals at risk. Victims include hospitals, where patient records were compromised, and critical infrastructure companies serving millions of customers. The disruption causes far-reaching harm to communities relying on these services.
Law Enforcement Actions
The Federal Bureau of Investigation (FBI) and other U.S. federal law enforcement agencies have been actively investigating the Play ransomware group.
In December 2022, the FBI released an advisory detailing the tactics, techniques, and procedures of the Play ransomware group, in order to help organizations defend themselves against this threat (https://www.hipaajournal.com/threat-intelligence-play-ransomware/). The advisory provided technical indicators of compromise and mitigation recommendations.
The FBI says that identifying and prosecuting the individuals behind Play has proven challenging, as the group uses anonymizing services and cryptocurrencies to cover their tracks. However, law enforcement efforts continue in coordination with international partners (https://thehackernews.com/2023/12/double-extortion-play-ransomware.html).
In October 2022, the Dallas County government in Texas suffered a Play ransomware attack impacting multiple agencies. The FBI and Secret Service are investigating the incident and assisting the county with its response and recovery (https://therecord.media/dallas-county-play-ransomware-incident).
Trends and Predictions
In 2022 through early 2023, the Play ransomware group expanded their arsenal of tools and exploits, adding several new vulnerabilities to target victims according to Trend Micro (https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play). These include targeting Confluence and VMware vulnerabilities that they began exploiting regularly after gaining access to victims’ networks. They often target managed service providers and other organizations with access to many downstream targets.
Experts predict Play will continue evolving their tactics, seeking new vulnerabilities and exploits to compromise victims (https://www.securitymagazine.com/articles/100267-cisa-releases-play-ransomware-guidelines). Their negotiation tactics are also evolving, with some victims reporting more reasonable demands in recent months. However, Play remains one of the more active and damaging ransomware groups impacting organizations globally.
Many security leaders expect Play to expand encryption of Linux-based systems, as most of their attacks have focused on Windows. Continued collaboration between international law enforcement and security researchers will be needed to disrupt Play’s operations and protect potential victims.
Defense Strategies
The CISA alert recommends several steps organizations can take to defend against Play ransomware attacks:
– Keep all operating systems and software up-to-date to mitigate vulnerabilities Play exploits.
– Implement robust network segmentation between endpoints and critical servers to prevent lateral movement.
– Enforce account lockouts after a number of failed login attempts to prevent brute force attacks.
– Enable strong spam filters to block phishing emails, a main initial infection vector.
– Train employees to identify social engineering techniques and phishing attempts.
– Maintain offline, encrypted backups of data to aid recovery if compromised.
– Deploy endpoint detection and threat hunting tools to identify intrusions early.
– Follow the MITRE ATT&CK framework for comprehensive defense strategies against Play’s specific TTPs.
Implementing these controls can significantly impede Play’s ability to infiltrate networks, spread ransomware payloads, and encrypt or steal data.
Conclusion
In summary, the Play ransomware group appears to be an emerging threat with notable technical capabilities and evolving tactics. Key takeaways include:
– Play initially targeted the healthcare sector but expanded to other sectors like education and telecoms. They have compromised high-value targets with purportedly stolen data as evidence.
– The group uses robust encryption algorithms to lock files and threatens DDoS attacks if the ransom isn’t paid. Their malware can rapidly encrypt entire networks.
– Play claims to have insider access to companies and exhibits some insider knowledge during negotiations. Their tactics involve pressuring victims through threats and deadlines.
– Researchers have found evidence linking Play to other ransomware groups. While their origins remain uncertain, their tactics have rapidly evolved.
– Law enforcement has advised victims not to pay ransoms, but Play often successfully obtains large ransoms through difficult negotiations.
– Defending against Play requires a multi-layered approach given their technical capabilities and negotiation acumen. Vigilance and prevention are key as incidents can quickly spiral out of control.