The Cybersecurity and Infrastructure Security Agency (CISA) has released a security alert for the ransomware group known as Play.
What happened
The CISA recently released new alerts as part of their #StopRansomware Initiative. The alerts detail ransomware variants and organizations that showcase a growing threat to security in healthcare and other industries.
Their newest alert, co-released with the Australian Cyber Security Centre, is focused on Play, also known as Playcrypt, an emerging cyber threat.
The group has impacted a range of businesses in North America, South America, and Europe since June 2022. As of October 2023, the FBI has been made aware of 300 affected organizations. Australia is also being impacted, first observing Play incidents in April and continuing to monitor them.
Going deeper
The nefarious organization is allegedly a closed group. According to a website statement, they “guarantee the secrecy of deals.”
Their ransomware model is considered double-extortion, meaning that they both encrypt data, making it difficult for the victim organization to use, and steal the victim’s data.
According to the CISA, they do not ask for an initial ransom demand or provide payment instructions. Instead, they demand victims reach out to Play via email. Play demands victims pay in cryptocurrency and threatens to publish data if victims are non-compliant.
Play has exploited valid accounts and public-facing applications to gain access to victim networks. They have also used remote desktop controls and virtual private networks (VPNs).
What’s next
As Play ransomware, and others, continue to grow and evolve, CISA recommends organizations take mitigation steps to prevent nefarious organizations from disrupting critical infrastructure or stealing data.
Here are some of CISA’s top strategies:
- Implement a recovery plan to maintain and retain copies of sensitive or critical data
- Require accounts with passwords to comply with NIST’s standards
- Require multi-factor authentication
- Keep operating systems, software, and firmware up to date
- Segment networks to prevent ransomware from spreading
- Identify and investigate abnormal activity
- Filter network traffic
- Install and update real-time antivirus software
These strategies, and more, can be used to ensure organizations have done everything they can to prevent a cyberattack and the consequences that emerge from it.
Related:
The big picture
The FBI is encouraging organizations that may be victims of Play to immediately report the incident. The FBI is seeking any information, including Bitcoin wallet information, sample ransom notes, and any other communication information.
Lastly, the FBI discourages organizations from paying any ransom, stating it “does not guarantee victim files will be recovered.” It can even worsen a situation because it can “embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”
Abby Grifno
