Recent investigations by Adlumin have uncovered that the Play ransomware strain is now available as a ransomware-as-a-service (RaaS) model, significantly altering the landscape of cyber threats. This shift allows various cybercriminals to utilize the ransomware by following detailed, step-by-step instructions provided with their purchase.
According to Adlumin’s report, the marked similarity in attack methodologies indicates that affiliates who acquired Play are executing the attacks with minimal variations. Through various incidents, the research noted that criminals consistently employed a distinct set of tactics, transforming each engagement into a near-replica of the last.
This includes the strategic placement of malicious files within the public music folder (C:\…\public\music), utilizing identical passwords to establish elevated access accounts, and executing the same command sequences across multiple incidents. Such uniformity raises significant concerns regarding the security of businesses that may become targets.
Originally identified in June 2022, Play ransomware, also known as Balloonfly and PlayCrypt, exploits vulnerabilities in Microsoft Exchange Server, notably through techniques like ProxyNotShell and OWASSRF. These vulnerabilities facilitate network infiltration, allowing attackers to deploy remote administration tools such as AnyDesk before launching their ransomware payloads.
Unlike many ransomware groups that outsource their operations, Play’s initial developers not only created the malware but also directly executed the threats. These latest developments represent a notable transformation, evolving into a full-fledged RaaS model that appeals to a broader spectrum of cybercriminals, especially less experienced actors.
As Adlumin highlights, the comprehensive kits provided by RaaS operators include everything necessary for novice hackers, including documentation, support forums, technical assistance, and assistance with ransom negotiations. This growing accessibility could potentially result in a surge of cyber incidents perpetrated by less experienced individuals.
Business owners and cybersecurity professionals must be vigilant in light of this evolving threat landscape. The proliferation of script kiddies—individuals with limited technical skills—combined with the sophisticated operational framework offered by RaaS providers indicates a looming increase in cyberattacks targeting various sectors.
The MITRE ATT&CK framework categorizes potential adversary tactics that might have been employed in Play ransomware attacks, including initial access techniques via exploitation of vulnerabilities, persistence through the creation of high-privilege accounts, and privilege escalation following initial compromise. As the threat landscape continues to evolve, organizations must enhance their defenses to mitigate the risks associated with the rising prevalence of RaaS offerings.
Given the current trajectory of cyber threats, businesses and industry stakeholders should take proactive measures to shore up their defenses. As the landscape of ransomware continues to shift towards RaaS models, understanding the methods and tactics of adversaries will be vital in safeguarding organizational assets against these evolving threats.
