'Play' Ransomware Group Targeting MSPs Worldwide in New Campaign

The fast-rising Play ransomware group that targeted the City of Oakland earlier this year is now hitting managed service providers (MSPs) around the globe in a cyberattack campaign to distribute ransomware to their downstream customers.

One troublesome aspect of the campaign is the threat actor's use of intermittent encryption — where only parts of a file are encrypted — to try and evade detection.

Wide Range of Victims

Play's targets appear to be midsized businesses in the finance, legal, software, shipping, law enforcement, and logistics sectors in the US, Australia, UK, Italy, and other countries, Adlumin said in a report this week. Researchers at Adlumin who are tracking the campaign as PlayCrypt say the attacker is also targeting state, local, and tribal entities in these countries as well.

As with other attacks involving MSPs, the Play or PlayCrypt group breaks into MSP systems and uses their remote monitoring and management (RMM) tools to get unfettered access to the networks and systems of customers of the MSPs. It is a tactic that other threat actors have used with substantial impact. The most notable example remains the REvil ransomware group's attack on multiple MSP via vulnerabilities in Kaseya's Virtual System Administrator (VSA) network monitoring tool. The attack resulted in the encryption of data on the systems of more than 1,000 customers of these MSPs.

Kevin O'Connor, director of threat research at Adlumin, says his company's research shows the threat actors gain access to privileged management systems and RMM tools via a phishing campaign that targets employees at MSPs.  "[This] leads to compromise of their systems and access either through direct exploitation or credential harvesting and reuse" he says.

Many Exploits, Including via Microsoft Exchange

Once the Play actors gain access to a customer environment — via the victim's MSP — they move quickly to deploy additional exploits and broaden their foothold, Adlumin said in a report this week. In some cases, they have exploited vulnerabilities in Microsoft Exchange Server. Examples include CVE-2022-41040, a privilege escalation bug that attackers were exploiting before Microsoft had a fix for it and CVE-2022-41082, a remote code execution bug that was also a zero-day at the time of disclosure. Adlumin researchers have also observed Play actors exploit other relatively older vulnerabilities in Fortinet appliances — such as CVE-2018-13379, a five-year-old path traversal flaw in FortiOS and CVE-2020-12812, a security bypass flaw in FortiOS.

Play's other post-compromise tools include exploits for the ProxyNotShell vulnerabilities of 2022, service side request forgery (SSRF), and legitimate PowerShell scripts that allow the threat actor to camouflage malicious activity. Adlumin spotted the threat actor distributing executables via Group Policy Objects, scheduled tasks, and the PsExec utility for remote process execution.

"Attackers leveraged the exploits post-initial compromise for lateral movement and internal spread," O'Connor says. "Initial compromise was through illegitimate access / usage of Remote Monitoring and Management (RMM) tools."

Intermittent Encryption

The Play ransomware tool itself is a pretty sophisticated piece of work, according to Adlumin. One feature that merits special attention is its use of intermittent encryption to make data inaccessible on victim systems. With intermittent encryption, only certain fixed segments of data in a target file gets encrypted. The approach allows for faster encryption — a fact that threat actors like because it means they can accomplish their task faster —while also rendering data inaccessible for victims.

However, intermittent encryption is also not foolproof. Research from CyberArk on files encrypted in this manner reveals that sometimes it is possible to recover data with files that are constructed a certain way. The company released a free tool in May 2023 that gives victims of ransomware groups such as Play a chance at reconstructing locked up data without having to pay to get a decryption key.

Play is among a small set of attackers that has begun using the intermittent encryption approach. Adlumin has assessed it was actually the first one to adopt the ploy. Others include the operators of BlackCat, DarkBit, and BianLian.

O'Connor says Adlumin's telemetry shows that Play likely began operations around June 2022. The company's monitoring of Play's leak site on TOR shows that the threat group has claimed at least 150 victims so far in over one dozen companies.

Other vendors tracking the group have described it as a rapidly emerging threat but one with a tighter focus area. In recent reports, both Trend Micro and SOCRadar, for instance, identified Latin America as Play's primary focus area. "Adlumin definitely does not observe that to be the current case with the group's targeting and the majority of victims now appear to be US or at least US/Europe based," O'Connor noted.