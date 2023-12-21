A recent joint cybersecurity advisory from Australia and the U.S. has shed light on the growing impact of the Play ransomware, estimating that it has affected around 300 entities as of October 2023. The threat actors behind Play employ a double-extortion model, where they encrypt systems after exfiltrating data, targeting various businesses and critical infrastructure organizations across North America, South America, Europe, and Australia.

Play, also known as Balloonfly and PlayCrypt, first emerged in 2022 and has since exploited security vulnerabilities in Microsoft Exchange servers and Fortinet appliances to breach enterprises and deploy file-encrypting malware. Interestingly, the advisory highlights a shift in ransomware tactics, with attackers increasingly exploiting vulnerabilities rather than relying on phishing emails as initial infection vectors. This shift has been observed in data from Corvus, which shows a significant increase in vulnerability exploitation from the second half of 2022 to the first half of 2023.

In a concerning development, cybersecurity firm Adlumin reported that Play ransomware has transformed into a ransomware-as-a-service (RaaS) operation, offering its services to other threat actors. The group utilizes a range of public and bespoke tools, including AdFind, Grixba, GMER, IOBit, PowerTool, Cobalt Strike, SystemBC, and Mimikatz, for various stages of their attacks, such as running Active Directory queries, enumerating network information, disabling antivirus software, and post-exploitation activities.

Victims of Play ransomware are not initially provided with a ransom demand or payment instructions, but are instead instructed to contact the threat actors via email. Despite trailing behind other ransomware groups like LockBit and BlackCat in terms of victim count, Play is still a significant threat, having claimed almost 40 victims in November 2023 alone, according to statistics compiled Malwarebytes.

The evolving landscape of ransomware attacks is not limited to the Play group. Recent developments include the Karakurt group, which prioritizes pure extortion after obtaining initial network access through various means, and speculations regarding a possible law enforcement operation targeting the BlackCat ransomware group. Additionally, the emergence of a new ransomware group called NoEscape has raised concerns, as they allegedly pulled an exit scam, stealing ransom payments and shutting down their web panels and data leak sites.

Collaboration between ransomware gangs is also on the rise, as seen in the joint extortion campaign the BianLian, White Rabbit, and Mario groups targeting publicly traded financial services firms. This collaboration may be facilitated initial access brokers operating on the dark web and the displacement of cybercriminals due to law enforcement interventions.

The ever-evolving and shifting nature of the ransomware landscape highlights the need for heightened cybersecurity measures and international cooperation to combat this global threat.