The Rise of ‘Play’ Ransomware: Global Threat Targets MSPs in New Campaign

Ransomware Group Targets Managed Service Providers in Global Cyberattack Campaign

Introduction

The Play ransomware group, previously known for its attack on the City of Oakland, has now turned its focus to managed service providers (MSPs) worldwide in a new cyberattack campaign. This campaign aims to distribute ransomware to the downstream customers of these providers. What makes this attack particularly troublesome is the threat actor’s use of intermittent encryption, where only parts of a file are encrypted, in an attempt to evade detection.

Wide Range of Victims

According to a report by cybersecurity firm Adlumin, the Play ransomware group is targeting midsized businesses in various sectors, including finance, legal, software, shipping, law enforcement, and logistics in the US, Australia, UK, Italy, and other countries. State, local, and tribal entities in these countries are also being targeted. The attackers gain access to the networks and systems of these organizations by infiltrating the systems of MSPs, using their remote monitoring and management (RMM) tools.

This tactic of exploiting MSPs has been used by other threat actors with significant impact, most notably by the REvil ransomware group, which attacked multiple MSPs through vulnerabilities in Kaseya’s Virtual System Administrator (VSA) network monitoring tool. This attack resulted in the encryption of data on the systems of over 1,000 customers of these MSPs.

Attack Techniques and Exploits

Adlumin’s researchers have found that the Play ransomware group gains access to privileged management systems and RMM tools through a phishing campaign targeting employees at MSPs. Once inside a customer environment, the threat actors deploy additional exploits and broaden their foothold. They have been observed exploiting vulnerabilities in Microsoft Exchange Server, including zero-day vulnerabilities, as well as older vulnerabilities in Fortinet appliances.

The Play group also employs other post-compromise tools such as exploits for ProxyNotShell vulnerabilities, service-side request forgery (SSRF), and legitimate PowerShell scripts to conceal malicious activity. Executables are distributed via Group Policy Objects, scheduled tasks, and the PsExec utility for remote process execution.

Intermittent Encryption

The Play ransomware tool itself is considered sophisticated. One notable feature is its use of intermittent encryption, where only certain fixed segments of data within a target file are encrypted. This approach allows for faster encryption, which is preferred by threat actors as it allows them to accomplish their objective more quickly. However, it also renders the data inaccessible for victims.

While intermittent encryption is not foolproof, research from CyberArk has shown that it is possible to recover data in some cases using specific file constructions. CyberArk released a free tool in May 2023 to help victims of ransomware groups like Play reconstruct locked-up data without having to pay for a decryption key.

Evolving Threat Landscape

According to Kevin O’Connor, the director of threat research at Adlumin, the company’s telemetry suggests that the Play ransomware group likely began its operations around June 2022. Adlumin’s monitoring of Play’s leak site on the TOR network indicates that the group has claimed at least 150 victims across a dozen companies.

Other vendors tracking the group, such as Trend Micro and SOCRadar, have identified Latin America as Play’s primary focus area in recent reports. However, Adlumin’s research contradicts this, suggesting that the majority of victims of the Play group appear to be based in the US or at least the US and Europe.

Editorial: The Growing Threat of Ransomware and the Need for Stronger Security Measures

Ransomware attacks, such as the one orchestrated by the Play ransomware group, continue to pose a significant threat to businesses and organizations worldwide. These attacks not only result in financial losses due to ransom payments but also cause disruption, loss of data, and damage to an organization’s reputation.

The tactics employed by threat actors are becoming increasingly sophisticated, as seen in the Play group’s use of intermittent encryption to evade detection and render data inaccessible. This highlights the need for organizations to prioritize cybersecurity and implement robust security measures to protect their networks, systems, and sensitive data.

MSPs play a crucial role in managing and securing the IT infrastructure of their customers. However, as demonstrated by the recent attacks, MSPs can be an attractive target for threat actors seeking to gain access to multiple organizations through a single point of entry. It is imperative that MSPs strengthen their security protocols, conduct regular security assessments, and educate their employees about the risks of phishing and other social engineering tactics.

Furthermore, organizations must invest in advanced threat detection and response capabilities, keeping their software and systems up to date with the latest patches and security updates, and implementing multi-factor authentication to enhance user access security.

Governments and regulators also have a responsibility to address the growing threat of ransomware. They should prioritize cybersecurity in national security strategies, promote information sharing and collaboration between public and private sectors, and establish strong legal frameworks to prosecute cybercriminals.

Conclusion: Protecting Against Ransomware

Ransomware attacks continue to evolve and pose a significant threat to businesses and organizations of all sizes. To protect against these attacks, organizations should:

1. Prioritize cybersecurity:

Implement robust security measures, including firewalls, intrusion detection systems, and endpoint protection solutions. Regularly review and update security policies and procedures.

2. Educate employees:

Train employees on cybersecurity best practices, such as identifying phishing emails, avoiding suspicious links or attachments, and following proper password hygiene.

3. Implement multi-factor authentication:

Require additional verification steps, such as biometrics or one-time passwords, to enhance user access security and prevent unauthorized access.

4. Keep software and systems up to date:

Regularly apply software patches and security updates to protect against known vulnerabilities that threat actors often exploit.

5. Backup data:

Frequently back up critical data and store backups offline or in a secure, isolated environment to prevent ransomware from compromising backup systems.

6. Engage with MSPs carefully:

When partnering with MSPs, conduct due diligence to ensure they have robust security measures in place. Regularly review and assess their security practices and monitor for any suspicious activities.

By implementing these measures and staying vigilant, organizations can significantly reduce their risk of falling victim to ransomware attacks. However, it is essential to recognize that cybersecurity is an ongoing effort that requires continuous monitoring, adaptation, and collaboration between organizations, MSPs, and governments to stay one step ahead of the evolving threat landscape.