Play Ransomware Group – Detection and Protection

Play ransomware, also known as Play or Playcrypt, is a group of cybercriminals that have successfully infiltrated over 300 organizations around the world. Their ransomware attacks use unique tactics like intermittent encryption and double extortion to exfiltrate company data and threaten businesses.

Anti Ransomware Learn More

What is the Play Ransomware Group?

Since its first appearance in 2022, Play Ransomware Group has been responsible for several major breaches, including at:

  • Microsoft Cuba
  • The City of Oakland
  • The Swiss government
  • Dallas County

Typically, Play installs ransomware on a company’s systems, encrypting their data and demanding a ransom payment or exfiltrating business data and selling it on the dark web forum. Some of their attacks have had international repercussions, impacting hundreds of thousands of customers at once.

The Play ransomware group has an online Tor blog where they publish details of each of their attacks, including summaries of the data they have managed to capture during each attack.

Unique Methods Used by the Play Ransomware Group

Play utilizes FortiOS vulnerabilities CVE-2020-12812 and CVE-2018-13379, along with exposed RDP servers, to breach organizations. Once they access a system, they will then distribute ransomware payloads across the system by using Group Policy Objects. By running these as scheduled tasks, they can systematically begin the encryption of files across a network, quickly taking over.

One of the defining characteristics of this ransomware gang is the use of intermittent encryption. In traditional ransomware, the payloads will encrypt the entirety of files, preventing network administrators from accessing them. However, rapid encryption of many files is a threat vector that many security systems will recognize and flag.

To overcome this defense, Play’s use of intermittent encryption will only encrypt selective parts of each file.

This approach allows them to fly under the radar and avoid the majority of endpoint security solutions while still encrypting core bytes in files that give the threat actor initial access while blocking out the company itself.

Play also leverages a company’s reputation to pressure them into compliance. According to the CSA, Play offers complete secrecy to any company that pays their ransomware fee, with those that do not pay instantly having all of their data published online and details of the exploit published to their Tor blog.

Notable Attacks by the Play Ransomware Group

Play has launched international ransomware campaigns, many of which have disrupted high-ranking institutions, including large enterprises, governments, and even major city councils.

Here are some of the most notable attacks of the last few years:

  • Dallas County: Play ransomware group launched an attack on Dallas County’s private records. Over 200,000 individuals had their records stolen in the breach, including SSNs, state identification numbers, taxpayer information, medical information, and even health insurance details.
  • Swiss Government: Play launched an attack on the Swiss government in May 2023, breaching over 1.3 million confidential records from their private servers. Of these, 65,000 were directly related to the federal administration, creating a major security risk for the country.
  • Arnold Clark: Arnold Clark is the largest independent car retailer in Europe and another one of Play’s high-profile targets. Play stole ID information, banking details, and full vehicle registration records from customers, with the company entering into negotiations with Play.
  • Judiciary of Cordoba: In late 2022, the city of Cordoba’s Judiciary systems experienced a cyberattack orchestrated by Play. The typical .play encryption was across their entire systems, with the ransomware group leaving a simple ReadMe.txt that listed “Play” and an email address to contact to discuss the ransom.

The vast majority of stories related to Play gain heavy media attention and then rapidly disappear from the public eye. It seems that without clear defense systems in place and options to recover their data, corrupted organizations may have to enter into conversation with the Play ransomware group.

While Play has been less active in 2024 than in previous years, it still represents a major threat to unsecured organizations.

Prevention and Mitigation for Ransomware Attacks

Here are some of the leading strategies to protect itself from ransomware attacks:

  • Use Access Controls: By segmenting your network and creating a permissions system, you limit the total access that any compromised accounts will have to your system. In unsegmented networks, one compromised account could signal the complete corruption of your remote system. Access control segmentation prevents this from happening and reduces the likelihood of a complete lock-out.
  • Deploy Endpoint Protection: Detecting a ransomware threat and neutralizing it as quickly as possible is vital in effectively defending your company from this attack vector. Endpoint protection solutions will help to rapidly locate and mitigate a ransomware attack.
  • Update Your Systems: Regularly updating your systems and patching to the latest version of the software will help to reduce the likelihood of your company having a known vulnerability in its system. Patches are regularly released for software to remove vulnerabilities.
  • Implement Contingency Plans: Crafting effective contingency plans for what your company will do in a ransomware scenario is a useful way of developing a comprehensive threat response plan. For example, your business could pinpoint which backups it should develop and outline a pathway to segment your systems upon the first hints of an attack occurring.

Ransomware Protection with Check Point

Play and other major ransomware groups are becoming far more common, with the sheer scope of modern enterprise attack surfaces making companies more vulnerable than ever. In the face of the rising cyber threat, enterprises need to turn to effective cybersecurity solutions to keep their businesses as secure as possible.

Check Point Anti-Ransomware software forms a core segment of the full endpoint security solution. With a comprehensive level of protection across every company endpoint, Check Point allows your business to automate cybersecurity and enhance defenses across the board.

With this solution, your business will be able to reduce the risk of a successful ransomware attack while protecting itself from numerous other leading cybersecurity threats. Reach out to Check Point to book a demo today.

Get Started

Harmony Endpoint

The CISO’s Guide to Ransomware Prevention

Check Point’s 2024 Cyber Security Report

Ransomware Protection

Related Topics

8Base Ransomware Group

Ransomware Recovery

Locker Ransomware

Triple Extortion Ransomware

Akira Ransomware

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK