Play

Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.[1][2]

ID: G1040
Contributors: Marco Pedrinazzi, @pedrinazziM
Version: 1.0
Created: 24 September 2024
Last Modified: 02 October 2024

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Play has used WinRAR to compress files prior to exfiltration.[1][2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Play has used Base64-encoded PowerShell scripts to disable Microsoft Defender.[2]

.003 Command and Scripting Interpreter: Windows Command Shell

Play has used a batch script to remove indicators of its presence on compromised hosts.[2]

Enterprise T1030 Data Transfer Size Limits

Play has split victims' files into chunks for exfiltration.[1][2]

Enterprise T1587 .001 Develop Capabilities: Malware

Play developed and employ Playcrypt ransomware.[2][1]

Enterprise T1048 Exfiltration Over Alternative Protocol

Play has used WinSCP to exfiltrate data to actor-controlled accounts.[1][2]

Enterprise T1190 Exploit Public-Facing Application

Play has exploited known vulnerabilities for initial access including CVE-2018-13379 and CVE-2020-12812 in FortiOS and CVE-2022-41082 and CVE-2022-41040 ("ProxyNotShell") in Microsoft Exchange.[1][2]

Enterprise T1133 External Remote Services

Play has used Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.[1][2]

Enterprise T1083 File and Directory Discovery

Play has used the Grixba information stealer to list security files and processes.[2]

Enterprise T1657 Financial Theft

Play demands ransom payments from victims to unencrypt filesystems and to not publish sensitive data exfiltrated from victim networks.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Play has used tools including GMER, IOBit, and PowerTool to disable antivirus software.[1][2]

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Play has used tools to remove log files on targeted systems.[1][2]

.004 Indicator Removal: File Deletion

Play has used tools including Wevtutil to remove malicious files from compromised hosts.[2]

Enterprise T1105 Ingress Tool Transfer

Play has used Cobalt Strike to download files to compromised machines.[2]

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Play has used Base64-encoded PowerShell scripts for post exploit activities on compromised hosts.[2]

Enterprise T1588 .002 Obtain Capabilities: Tool

Play has used multiple tools for discovery and defense evasion purposes on compromised hosts.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Play has used Mimikatz and the Windows Task Manager to dump LSASS process memory.[2]

Enterprise T1057 Process Discovery

Play has used the information stealer Grixba to check for a list of security processes.[2]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Play has used Cobalt Strike to move laterally via SMB.[2]

Enterprise T1018 Remote System Discovery

Play has used tools such as AdFind, Nltest, and BloodHound to enumerate shares and hostnames on compromised networks.[2]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Play has used the information-stealing tool Grixba to scan for anti-virus software.[1]

Enterprise T1082 System Information Discovery

Play has leveraged tools to enumerate system information.[2]

Enterprise T1016 System Network Configuration Discovery

Play has used the information-stealing tool Grixba to enumerate network information.[1]

Enterprise T1078 Valid Accounts

Play has used valid VPN accounts to achieve initial access.[1]

.002 Domain Accounts

Play has used valid domain accounts for access.[2]

.003 Local Accounts

Play has used valid local accounts to gain initial access.[2]

Software

ID Name References Techniques
S0552 AdFind [1][2] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0521 BloodHound [2] Account Discovery: Domain Account, Account Discovery: Local Account, Archive Collected Data, Command and Scripting Interpreter: PowerShell, Domain Trust Discovery, Group Policy Discovery, Native API, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote System Discovery, System Owner/User Discovery
S0154 Cobalt Strike [2] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0363 Empire [2] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain or Tenant Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0002 Mimikatz [2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0359 Nltest [2] Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S1162 Playcrypt [1][2] Data Encrypted for Impact, File and Directory Discovery, Inhibit System Recovery
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0645 Wevtutil [2] Data from Local System, Impair Defenses: Disable Windows Event Logging, Indicator Removal: Clear Windows Event Logs

References