Play ransomware alert: 300 entities affected, including critical infrastructure

The Federal Bureau of Investigation (FBI), together with the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Center Australian Signals Directorate (ASD's ACSC), has issued a warning regarding the activity of the cybercriminal group called Play ransomware. This group was responsible for cyber breaches against approximately 300 organizations globally between June 2022 and October 2023, also involving critical infrastructure entities. Since their debut in June 2022, threat actors have demonstrated a different-than-standard operating method for post-intrusion communication, preferring the use of email rather than establishing anonymized pages via Tor for ransom negotiation.

Play operating modes and objectives

This criminal group works by stealing sensitive documents from compromised computer systems before launching the ransomware attack, using that data as leverage to force victims to pay the ransom by threatening online disclosure. Among the tools used, we highlight one dedicated to copying shadow volume copies, allowing the theft of files even in the presence of locks at the operating system level. Recent notable victims include the city of Oakland in California, car dealership chain Arnold Clark, cloud computing firm Rackspace and the Belgian city of Antwerp.

How to defend yourself from Play

The agencies involved advise organizations to meditate on the implementation of specific defensive strategies, starting from the strengthening of known and frequently exploited vulnerabilities to mitigate the probability of falling victim to attacks orchestrated by the Play ransomware. The adoption of multi-factor authentication (MFA) is also essential, particularly for critical services such as webmail, VPN networks and privileged accounts, along with regular software updates and a proactive vulnerability assessment strategy.

Mitigation measures and security updates

Additional measures to mitigate the consequences of a possible attack and reduce its likelihood include maintaining offline backups of data, implementing recovery plans and systematically updating operating systems, software and firmware. The FBI, CISA and ASD's ACSC urge the implementation of the recommendations made in the mitigations section of their joint advisory, in order to strengthen the resilience of information infrastructures against ransomware-related incidents.