Play Ransomware Group Targets Six Prominent Companies

The notorious Play Ransomware Group has shifted its sights from its primary Latin American targets to firms in the U.S. and Germany.

Recently, the group listed six businesses on their data leakage site on the Tor network, hinting at potential data breach incidents.

Companies Under Threat

The following companies have been listed:

USA:

Majestic Spice: majesticspice.com
Bordelon Marine: bordelonmarine.com
Master Interiors: masterinteriors.com
Kikkerland Design: kikkerland.com
Precisely Winshuttle: precisely.com, winshuttle.com

Germany:

Markentrainer Werbeagunter: micro-automation.de

The Rise of Play Ransomware Group

Tracing back to June 22, 2022, the Play Ransomware’s presence first emerged on a BleepingComputer forum. An individual claimed their files were encrypted with a unique “.play” extension. Shortly after, Trend Micro shed light on this ransomware variant, revealing a focus on the Latin American region, especially Brazil.

Despite appearing as a new entrant in the ransomware arena, their tactics, techniques, and procedures (TTPs) resonate with established ransomware families like Hive and Nokayawa. A notable similarity is their reliance on AdFind, a command-line tool adept at gleaning Active Directory information.

Modus Operandi

The group typically employs a multi-pronged attack strategy:

They exploit a known valid account, vulnerable RDP servers, and specifically target the FortiOS vulnerabilities CVE-2018-13379 and CVE-2020-12812 for initial access.
Following a successful breach, they employ “lolbins” binaries, mirroring the approach of other ransomware groups.
They distribute malicious executables within the network using Group Policy Objects, subsequently running scheduled tasks, PsExec, or wmic.
Their final move involves encrypting files, marking them with their signature “.play” extension.