The Play ransomware group, known for its attack on the City of Oakland earlier this year, has expanded its cyberattack campaign to target managed service providers (MSPs) globally. The group aims to distribute ransomware to the downstream customers of these providers. One concerning aspect of the campaign is the threat actor’s use of intermittent encryption, where only portions of a file are encrypted, in order to evade detection.
According to a report by cybersecurity firm Adlumin, the Play ransomware group is targeting midsized businesses in various sectors, including finance, legal, software, shipping, law enforcement, and logistics, in countries such as the US, Australia, UK, Italy, and others. The group is also targeting state, local, and tribal entities in these countries. This method of targeting MSPs and using their remote monitoring and management (RMM) tools to gain access to customer networks is a tactic previously employed by other threat actors, most notably the REvil ransomware group’s attack on MSPs via vulnerabilities in Kaseya’s Virtual System Administrator (VSA) tool, which affected over 1,000 customers.
The Play group gains access to privileged management systems and RMM tools through a phishing campaign targeting MSP employees. Once inside the customer environment, the threat actors quickly deploy additional exploits and broaden their control. Adlumin researchers have observed the group exploiting vulnerabilities in Microsoft Exchange Server, such as CVE-2022-41040 and CVE-2022-41082, as well as older vulnerabilities in Fortinet appliances like CVE-2018-13379 and CVE-2020-12812.
In addition to these exploits, the Play group utilizes other post-compromise tools, including the ProxyNotShell vulnerabilities, service side request forgery (SSRF), and legitimate PowerShell scripts to disguise malicious activity. The threat actors distribute executables via Group Policy Objects, scheduled tasks, and the PsExec utility for remote process execution.
One notable characteristic of the Play ransomware tool is its use of intermittent encryption, where only certain segments of a file are encrypted. This approach allows for quicker encryption, enabling threat actors to accomplish their task faster while rendering data inaccessible for victims. However, intermittent encryption is not foolproof, and research from CyberArk has shown that data can sometimes be recovered with files constructed in a specific way.
Adlumin’s telemetry suggests that the Play group likely began its operations in June 2022. The company has been monitoring Play’s leak site on TOR and has identified at least 150 victims across multiple companies. The group has been characterized as a rapidly emerging threat, with a focus on Latin America according to reports from Trend Micro and SOCRadar. However, Adlumin suggests that the majority of victims are now based in the US or US/Europe.
Overall, the Play ransomware group’s expansion into targeting MSPs and its use of intermittent encryption represent growing threats in the cybersecurity landscape. Businesses, especially midsized organizations in various sectors, need to be vigilant and take appropriate measures to protect their networks and sensitive data from these evolving cyber threats.