The Play ransomware group has been actively targeting businesses and critical infrastructure across North America, South America, and Europe since June 2022. They gain initial access through exploiting vulnerabilities, using stolen credentials, and leveraging remote access services. The group employs a double extortion model, encrypting systems after data exfiltration. Play ransomware uses AES-RSA hybrid encryption and intermittent encryption techniques. The actors use various tools for network discovery, credential theft, and lateral movement. Organizations are advised to implement robust security measures including multifactor authentication, regular patching, network segmentation, and maintaining offline backups to mitigate the risk of ransomware attacks. Author: AlienVault
Related Tags:
cve-2022-41040
cve-2020-12812
cve-2018-13379
cve-2022-41082
Grixba
T1560.001
Play
Australia
Critical Infrastructure
Associated Indicators:
453257C3494ADDAFB39CB6815862403E827947A1E7737EB8168CD10522465DEB
75404543DE25513B376F097CEB383E8EFB9C9B95DA8945FD4AA37C7B2F226212
7A42F96599DF8090CF89D6E3CE4316D24C6C00E499C8557A2E09D61C00C11986
7DEA671BE77A2CA5772B86CF8831B02BFF0567BCE6A3AE023825AA40354F8ACA
75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54A
47B7B2DD88959CD7224A5542AE8D5BCE928BFC986BF0D0321532A7515C244A1E
3D86555ACAA19AEDDB5896071D1E3711B062EDBE