Freely subscribe to our NEWSLETTER

“PLAY ransomware has reportedly spent a bit of effort recently in developing their data collection toolkit. Development and use of proprietary tooling is usually a marker of a more capable ransomware group.

WithSecure’s primary observations of PLAY ransomware do indicate the use of an initial access broker (See WithIntel’s report on SILKLOADER), which serves as an ever-present reminder that large and complex organisations need to be extra cognisant of their external footprint / attack surface.

PLAY has recently developed tooling that, in particular, looks to enumerate a network with an emphasis on allowing the attackers to identify enterprise security toolsets, backup systems, and also living off the land command and control opportunities, which unlike some other ransomware families demonstrates a willingness and capability to take on networks with well-funded and considered defensive operations.

The development of data stealing capability is another reminder that data theft is also becoming a more predominant extortion ‘lever’ (whereas perhaps traditionally it was secondary to encryption), and even with a network that is as segregated as a typical bank where aiming for severe service disruption across OT may represent an unnecessary use of attacker effort, a ransomware attack can now still be considered successful even with relatively minor service impact – if sufficient data exfiltration was achieved.”