Groups linked with the Play ransomware have exploited more than 900 organizations, the FBI said Wednesday, and have developed a number of new techniques in their double-extortion campaigns – including exploiting a security flaw in remote-access tool SimpleHelp if orgs haven’t patched it.
This particular ransomware variant was among the top five targeting critical infrastructure last year. And according to a Wednesday cybersecurity advisory, the criminals don’t seem to be slowing down in their double-extortion attacks, in which they first steal and encrypt sensitive data, then threaten to release it online unless the victims pay up.
“Ransom notes do not include an initial ransom demand or payment instructions; rather, victims are instructed to contact the threat actors via email,” the FBI, Cybersecurity and Infrastructure Security Agency, and Australian Signals Directorate’s Cyber Security Centre said in a June 4 update to an earlier Play ransomware alert.
The update includes new tactics, techniques, and procedures Play uses, along with current indicators of compromise to help network defenders protect their organizations from the ransomware crew.
Among these: the ransomware notes contain a unique @gmx.de or @web[.]de email for communications. Plus, in a move that screams psychological manipulation, Play operators regularly call their victims and threaten to release their stolen data if they don’t pay up. “These calls can be routed to a variety of phone numbers within the organization, including those discovered in open source, such as help desks or customer service representatives,” according to the FBI and allied agencies.
The miscreants typically gain initial access to victims’ networks using a variety of nefarious means — stolen credentials, Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN), and exploiting old bugs that should have been patched years ago, including vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (CVE-2022-41040 and CVE-2022-41082).
But among the newer break-in methods is a high-priority security flaw in the remote monitoring and management tool SimpleHelp. It’s tracked as CVE-2024-57727, and the software vendor disclosed and fixed the issue in January.
Still, “multiple ransomware groups, including initial access brokers with ties to Play ransomware operators,” exploited this bug to remotely execute their malware on compromised computers belonging to US organizations, the FBI warned. Get that flaw patched if you haven’t already.
Complicating things further, the Play ransomware binary is recompiled for each campaign, both for Windows and ESXi targets, resulting in a unique file hash for every deployment. This tactic complicates detection by anti-malware tools and hinders hash-based defenses.
One of Cisco Talos’ incident responders recently told The Register that Play was one of the crews that used so-called “EDR killers” to disable endpoint security products in nearly every ransomware infection it handled last year. ®
