Play Ransomware Group Launches Global Campaign Against MSPs

August 17, 2023

The Play ransomware group, also tracked as PlayCrypt by researchers at Adlumin, is currently executing a widespread cyberattack campaign against managed service providers (MSPs) worldwide. The group's primary targets are midsize businesses in sectors such as finance, legal, software, shipping, law enforcement, and logistics, predominantly in the US, Australia, UK, Italy, and other countries.

The campaign is marked by the group's use of intermittent encryption, a technique where only parts of a file are encrypted, in an attempt to evade detection. This tactic has been employed in attacks on state, local, and tribal entities in the targeted countries.

The Play group infiltrates MSP systems and exploits their remote monitoring and management (RMM) tools to gain unrestricted access to the networks and systems of the MSPs' customers. This strategy has been previously used by other threat actors, most notably in the REvil ransomware group's attack on multiple MSPs that exploited vulnerabilities in Kaseya's Virtual System Administrator (VSA) network monitoring tool.

According to Kevin O'Connor, director of threat research at Adlumin, the threat actors gain access to privileged management systems and RMM tools via a phishing campaign aimed at MSP employees, resulting in system compromise and access through direct exploitation or credential harvesting and reuse. Once the Play actors gain access to a customer environment via the victim's MSP, they swiftly deploy additional exploits to expand their foothold. In some instances, they have taken advantage of vulnerabilities in Microsoft Exchange Server, such as CVE-2022-41040, a privilege escalation bug that attackers were exploiting before Microsoft had a fix for it, and CVE-2022-41082, a remote code execution bug that was also a zero-day at the time of disclosure.

Adlumin researchers have also observed Play actors exploiting older vulnerabilities in Fortinet appliances, such as CVE-2018-13379, a five-year-old path traversal flaw in FortiOS, and CVE-2020-12812, a security bypass flaw in FortiOS. After the initial compromise, the threat actors use these exploits for lateral movement and internal spread.

The Play ransomware tool is notably sophisticated, with one standout feature being its use of intermittent encryption to render data inaccessible on victim systems. This methodology allows for quicker encryption, which is advantageous for threat actors as it enables them to complete their task faster, while also making data inaccessible for victims. However, intermittent encryption is not infallible. Research from CyberArk suggests that it is sometimes possible to recover data from files encrypted in this manner.

The Play group is one of a few attackers that have begun using the intermittent encryption approach, with Adlumin assessing it was actually the first one to adopt the strategy. Other groups include the operators of BlackCat, DarkBit, and BianLian. Adlumin's telemetry indicates that Play likely started operations around June 2022 and has claimed at least 150 victims so far across over a dozen companies. While some vendors have identified Latin America as Play's primary focus area, Adlumin's observations suggest that the majority of victims now appear to be US or at least US/Europe based.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.