- Security News
- Ransomware Spotlight
- Ransomware Spotlight: Play
In this section, we examine Play ransomware’s attempts to compromise organizations from June 2022 to May 2023 based on Trend's Smart Protection Network™ country and regional data. It’s important to note that this data covers only Trend customers and does not contain all victims of Play ransomware. In that time period, Play ransomware activity climbed steadily, peaking in December 2022 with 170 attack attempts.
Data from customers who specified their industries showed that Play ransomware appeared most active in the telecommunications sector. The healthcare, and communication and media sectors were also highly targeted.
Our telemetry also shows that the heaviest concentration of Play ransomware attack attempts was made against organizations located in Germany, which composed 15.4% of the total detections. This is followed closely by the United States and Portugal, at 15.3% and 15%, respectively.
This section looks at data based on attacks recorded on the leak site of the operators behind Play ransomware from June 2022 to May 2023. Based on both Trend's open-source intelligence (OSINT) research and investigations into the leak site, Play ransomware actors had managed to compromise a total of 110 victims who refused to pay the ransom demand as of this writing.
Organizations based in Europe were the hardest hit among the victims identified in Play’s leak site at 49 attacks; those in North America came in second at 39. More specifically, the United States was at the receiving end of most of the attacks, with 33 affected organizations. Many confirmed ransomware attacks also took place in Germany and France, with 9 and 8 victims respectively.
Figure 4. The distribution by region of Play ransomware’s victim organizations (June 2022 - May 2023)
Sources: Play ransomware’s leak site and Trend’s OSINT research
The leak site data indicates that the IT industry was most targeted by Play’s attacks, followed by transportation. Other affected organizations include those in the construction and materials industry, as well as government entities.
Figure 5. The top 10 countries most targeted by Play ransomware threat actors (June 2022 - May 2023)
Sources: Play ransomware’s leak site and Trend’s OSINT research
Most of Play ransomware’s victim organizations were small-sized businesses. However, a number of affected organizations did not have their sizes specified.
Figure 6. The top 10 industries most targeted by Play ransomware threat actors (June 2022 - May 2023)
Sources: Play ransomware’s leak site and Trend’s OSINT research
Play ransomware may use different tools to move laterally across a victim’s system:
Figure 10. Play ransomware’s dropped ransom note
Initial Access | Execution | Defense Evasion | Credential Access | Discovery | Lateral Movement | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|
T1190 - Exploit Public-Facing Application | T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution | T1562 - Impair Defenses T1140 - Deobfuscate/Decode Files or Information T1070 - Indicator Removal | T1003 - OS Credential Dumping | T1033 - System Owner/User Discovery | T1021 - Remote Services: SMB/Windows Admin Shares | T1071 - Application Layer Protocol | T1002 - Data Compressed T1048 - Exfiltration Over Alternative Protocol | T1486 - Data Encrypted for Impact T1489 - Service Stop T1490 - Inhibit System Recovery |
Security teams should keep an eye out for the presence of these malware tools and exploits that are typically used in Play’s ransomware attacks:
Initial Access | Execution | Discovery | Credential Access | Lateral Movement | Defense Evasion | Exfiltration | Impact |
---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
| ||
|
|
|
| ||||
|
|
|
| ||||
|
Our analysis of Play ransomware underscores the great strides modern threat actors have since taken to design attacks that are better equipped to go under the radar and avoid detection. In light of this, organizations should stay vigilant of ransomware actors that have turned to red-team or penetration-testing tools as a means of camouflaging their presence when infiltrating their targeted systems.
In defending systems against threats like Play ransomware, organizations can benefit from establishing security frameworks that can allocate resources systematically for establishing solid defenses against ransomware. Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
The IOCs for this article can be found here. Actual indicators might vary per attack.
Trend Vision One customers can use the following hunting query to check for the presence of Play Ransomware in endpoints:
• fullPath:("*.play" OR "*\\ReadMe.txt")
• malName:(*PLAYDE* OR *PLAYCRYPT*)
Customers can also hunt for ransomware or component binaries in specific locations using this query:
• FileFullPath:(Music OR Perflogs OR LocalTemp) AND eventSubId:101 AND FileFullPath:.exe
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.