The notorious Play Ransomware Group has shifted its sights from its primary Latin American targets to firms in the U.S. and Germany.
Recently, the group listed six businesses on their data leakage site on the Tor network, hinting at potential data breach incidents.
Companies Under Threat
The following companies have been listed:
- Majestic Spice: majesticspice.com
- Bordelon Marine: bordelonmarine.com
- Master Interiors: masterinteriors.com
- Kikkerland Design: kikkerland.com
- Precisely Winshuttle: precisely.com, winshuttle.com
- Markentrainer Werbeagunter: micro-automation.de
The Rise of Play Ransomware Group
Tracing back to June 22, 2022, the Play Ransomware’s presence first emerged on a BleepingComputer forum. An individual claimed their files were encrypted with a unique “.play” extension. Shortly after, Trend Micro shed light on this ransomware variant, revealing a focus on the Latin American region, especially Brazil.
Despite appearing as a new entrant in the ransomware arena, their tactics, techniques, and procedures (TTPs) resonate with established ransomware families like Hive and Nokayawa. A notable similarity is their reliance on AdFind, a command-line tool adept at gleaning Active Directory information.
The group typically employs a multi-pronged attack strategy:
- They exploit a known valid account, vulnerable RDP servers, and specifically target the FortiOS vulnerabilities CVE-2018-13379 and CVE-2020-12812 for initial access.
- Following a successful breach, they employ “lolbins” binaries, mirroring the approach of other ransomware groups.
- They distribute malicious executables within the network using Group Policy Objects, subsequently running scheduled tasks, PsExec, or wmic.
- Their final move involves encrypting files, marking them with their signature “.play” extension.
Play Ransomware DLS site
The Play Ransomware operates their DLS site on the TOR network. It currently uses the following address: