Play’s ransomware actors commonly gain initial access through valid accounts that have been reused across multiple platforms, have previously been exposed, or were obtained through illegal means. This includes Virtual Private Network (VPN) accounts, not just domain and local accounts. Exposed RDP servers are also abused to establish a foothold. Another technique Play ransomware uses is the exploitation of the FortiOS vulnerabilities CVE-2018-13379 and CVE-2020-12812.
CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that allows an unauthenticated attacker to download OS system files through specially crafted HTTP resource requests. On the other hand, CVE-2020-12812 is an improper-authentication vulnerability in SSL VPN in FortiOS, which allows a user to log in without being prompted for FortiToken, the second factor of authentication, if they changed the case of their username.
We observed Play ransomware’s usage of scheduled tasks and PsExec during its execution phase. Another one of Play’s techniques involves the creation of a GPO, as GPOs are able to control many user and machine settings in the AD. The GPO deploys a scheduled task across the AD environment, and the task executes the ransomware at a specific date and time.
The ransomware also uses batch files to execute PsExec, a legitimate Windows tool in the SysInternals suite. This tool’s ability to execute processes on other systems allows the rapid spread of the ransomware and assists Play in its reconnaissance activities.
After the Play ransomware actors gain initial access through valid accounts, they will continue to use these accounts as a persistence mechanism. If Remote Desktop Protocol (RDP) access is disabled in a victim’s system, the malicious actors will enable it by executing “netsh” commands so that they can establish inbound connections within a victim’s system. The ransomware executable is dropped in the Domain Controller shared folders (NETLOGON or SYSVOL) and is run by a scheduled task/PsExec, after which encryption of the victim’s files takes place.
Play ransomware uses Mimikatz to extract high privileges credentials from memory. Afterward, the ransomware will add accounts to privileged groups, one of which is the Domain Administrators group. It performs vulnerability enumeration through Windows Privilege Escalation Awesome Scripts (WinPEAS), a script that searches for possible local privilege escalation paths.
The ransomware uses tools such as Process Hacker, GMER, IOBit, and PowerTool to disable antimalware and monitoring solutions. It covers its tracks using the Windows built-in tool wevtutil or a batch script, which will remove indicators of its presence, such as logs in Windows Event Logs or malicious files. It disables Windows Defender protection capabilities through PowerShell or command prompt. The PowerShell scripts that Play ransomware uses, like Cobalt Strike beacons (Cobeacon) or Empire agents, are encrypted in Base64.
Play ransomware also uses Mimikatz to dump credentials. The tool can be dropped directly on the target host or executed as a module through a command-and-control (C&C) application like Empire or Cobalt Strike. We also observed the malware’s use of the Windows tool Task Manager to dump the LSASS process from memory.
During the discovery phase, the ransomware actors collect more details about the AD environment. We’ve observed that AD queries for remote systems have been performed by different tools, such as ADFind, Microsoft Nltest, and Bloodhound. Enumeration of system information such as hostnames, shares, and domain information were also performed by the threat actor.
Play ransomware may use different tools to move laterally across a victim’s system:
- Cobalt Strike SMB beacon is used as a C&C beacon, a method of lateral movement, and a tool for downloading and executing files
- SystemBC, a SOCKS5 proxy bot that acts as a backdoor with the ability to communicate over TOR, is used for backdooring mechanisms
- Empire is an open-source post-exploitation framework used to conduct Play ransomware’s post-exploitation activity
- Mimikatz is used to dump credentials and gain domain administrator access on victim networks to conduct lateral movement.
A victim’s data is often split into chunks instead of whole files prior to its exfiltration, an approach that Play ransomware may use to avoid triggering network data transfer. The ransomware actors use WinSCP, an SFTP client and FTP client for Microsoft Windows. They also use WinRAR to compress the files in .RAR format for later exfiltration. We were able to identify a web page developed in PHP that is used to receive the exfiltrated files.
As mentioned earlier, after the ransomware encrypts a file, it adds the extension “.play” to that file. A ransom note, ReadMe.txt, is created in the hard drive root (C:). In all the cases we investigated, the ransom notes contained an email address following this format: [seven random characters]@gmx[.]com.