PlayCrypt Ransomware Group Wreaks Havoc in Campaign Against Managed Service Providers
By: Kevin O’Connor, Director of Threat Research
- The Adlumin Threat Research team uncovered a concentrated global campaign employing sophisticated Play ransomware (also identified as PlayCrypt). The campaign is currently targeting mid- market enterprises in the finance, software, legal, and shipping and logistics industries, as well as state, local, tribal and territorial (SLTT) entities in the U.S., Australia, U.K., and Italy. The PlayCrypt ransomware group was previously linked to the City of Oakland attack in March 2023.
- Cybercriminals are directing their efforts towards the managed service providers (MSPs) of these enterprises, utilizing techniques such as remote monitoring and management (RMM) software as vectors or entry points into the targeted systems, which provides complete administrative access.
- Additional attack vectors are Fortinet firewalls with 3–5-year-old vulnerabilities (CVE-2018-13379 and CVE-2020-12812), and other compromised software in the supply chain.
- PlayCrypt ransomware’s code is highly obfuscated and shows strong resistance to typical analysis techniques. Notably, this ransomware group is the first to employ intermittent encryption – a technique that partially encrypts files in chunks of 0x100000 bytes to evade detection.
- This article examines the tactics, techniques, and procedures (TTPs) of threat actors utilizing PlayCrypt, as mapped in the MITRE ATT&CK framework, and observed during an attack and subsequent investigation by the Adlumin MDR and Incident Response Teams.
Last month, in the wee hours of the night, a threat actor used PlayCrypt to leverage Remote Monitoring and Management (RMM) software used by service providers to gain direct access to a customer’s environment, bypassing the majority of its defenses.
RMM software serves as the central nervous system of modern-day service providers. It gives users unfettered, privileged access to networks so operators can deliver seamless support and IT operation functions to a distributed cohort of customers.
But the PlayCrypt ransomware group can utilize the same remote access capability to wreak havoc on mid-market firms.
The ransomware debuted in June 2022 and is strongly affiliated with the Balloonfly malware group. It employs double-extortion tactics, stealing victim data before encrypting their networks.
Recently, PlayCrypt expanded its toolkit with new tools and exploits like ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution.
Aside from hackers using remote desktop protocol servers as a vector for network infiltration, they can also use FortiOS vulnerabilities (CVE-2018-13379 and CVE-2020-12812), and other compromised software in the supply chain.
In the incident involving PlayCrypt ransomware, Adlumin analysts believe there were at least two potential methods of intrusion. The first possibility is that the hackers gained access through compromised remote desktop software credentials. The second is that they may have exploited a vulnerability in the software itself.
Once inside the victim’s network, attackers can move quickly to deploy more exploits to gain a solid foothold on the system. These exploits include PowerShell scripts, Microsoft Server Remote Code Execution, and batch files.
When exploits have given threat actors root access, they begin creating admin-privileged accounts that can be used to disable security tools. For example, the Adlumin MDR team noticed that hackers utilized the Windows registry to shut down Windows Defender after creating a privileged account.
Adversaries can also replicate the traffic patterns of legitimate users, thereby making it complicated for network security tools to discern between malicious and normal activities.
During the defense evasion stage, threat actors can also delete signs that they are in the system to throw off cybersecurity teams.
To evade detection, threat actors incorporate the use of tools such as Mimikatz to extract credentials. These compromised usernames and passwords are subsequently exploited to escalate privileges, execute lateral movement across the network, and facilitate data exfiltration.
Halting The Attack
The AI-powered Adlumin Security Operations platform was successful in detecting and stopping malicious activity when PlayCrypt ransomware was used. The platform uses automated Security Orchestration Automation and Response (SOAR) actions to isolate impacted endpoints, disable suspicious accounts, reset passwords, initiate scans, and more. As a result of the detections and SOAR actions taken, the MDR team immediately received notifications and started to investigate further and take additional mitigation actions.
During the incident, the MDR team discovered and stopped data exfiltration processes through the FTP port that the hacker had initiated. The team also found malware executables hidden in temporary and system folders.
Command and control (C2) systems activity was also detected. This information allowed an analyst to gather information on the hacker’s location through IP and geolocation.
Finally, analysts found that the hacker(s) also deleted volume shadow copies to prevent the customer from restoring from backups.
Adlumin Incident Response (IR) team joined the investigation to take a deeper dive into the threat actor’s TTPs and examined the malware used through reverse engineering.
The IR team found that PlayCrypt ransomware’s code is highly obfuscated and shows strong resistance to typical analysis techniques. Notably, this ransomware group is the first to employ intermittent encryption – a technique that partially encrypts files in chunks of 0x100000 bytes to evade detection.
Once in a network, threat actors utilize “lolbins” binaries in the ransomware attacks. They distribute executables through Group Policy Objects, employing scheduled tasks, PsExec, or WMIC. Upon achieving full network access, they encrypt files with the “.play” extension.
- Adlumin recommends that customers choose MSPs with strong security records and know-how for identifying and handling data breaches.
- As for MSPs, we recommend the use of stronger credentials and the implementation of multi-factor authentication to prevent threat actors from taking advantage of RMM software.
The Adlumin Advantage
The combination of automated SOAR actions implemented by the Adlumin’s Security Operations Platform and the rapid response of the MDR and Incident Response teams successfully thwarted the attacker’s advances. Had the hacker been successful, they would have held all the customer’s sensitive data hostage through encryption, demanding a ransom.
With the threat neutralized, Adlumin strengthened its defenses, armed with valuable insights from the reversed-engineered PlayCrypt ransomware samples. The IOCs uncovered during the investigation now serve as a robust shield against future attacks, ensuring the protection of customer data and upholding their commitment to cybersecurity excellence.