New evidence uncovered by Adlumin indicates that the ransomware strain known as Play has transitioned into a “as a service” model, allowing other threat actors to access and utilize it. Adlumin’s report, notes the distinctive lack of variations between attacks, suggesting that affiliates who have purchased the ransomware-as-a-service (RaaS) are executing attacks following step-by-step instructions provided with it.
The findings are based on Adlumin’s tracking of various Play ransomware attacks across different sectors, revealing almost identical tactics and sequences. This includes the use of the public music folder (C:…\public\music) to conceal the malicious file, the employment of the same password for creating high-privilege accounts, and the execution of identical commands in both attacks.
Originally identified in June 2022, Play, also known as Balloonfly and PlayCrypt, initially exploited security flaws in Microsoft Exchange Server, specifically ProxyNotShell and OWASSRF, to infiltrate networks. The ransomware campaign involved dropping remote administration tools such as AnyDesk before deploying the ransomware. Notably, Play stood out by using custom data gathering tools like Grixba for double extortion, and its operators were directly involved in developing and executing the attacks.
The recent shift marks a significant transformation for Play, turning it into a RaaS operation, which makes it an attractive option for cybercriminals. This model offers a complete package, including documentation, forums, technical support, and ransom negotiation support, making it appealing even to less experienced individuals, often referred to as “script kiddies.”
Adlumin warns that with the accessibility of ransomware kits through RaaS operations, businesses and authorities should be prepared for a potential surge in incidents, as script kiddies may be tempted to exploit these tools, leading to an increase in cyber threats.
CyberSec84 | Cybersecurity news. 
Leave a comment