FBI Investigations Reveal Tactics of Play Ransomware
Today, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA) to disseminate the Play ransomware group’s IOCs and TTPs identified through FBI investigations as recently as October 2023.
As a reminder, IOCs (Indicators of compromise) are evidence that someone may have breached an organization’s network. TTPs (tactics, techniques, and procedures) describe three components in a process used to develop threats and plan cyberattacks.
Play Ransomware Affects Businesses Worldwide
“Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe,” the three government agencies cited in the Dec. 18th announcement. “In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023.”
The Play ransomware group is presumed to be a closed group designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. The bad actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions; rather, victims are instructed to contact the threat actors via email.
“I think it is imperative that people understand that today’s ransomware bad actors are not just encrypting data, but they are also exfiltrating data so they can hold even more things ransom,” said PrivaPlan CIO Ron Bebus. “It’s important to take steps [listed below] to stop them in their tracks.”
Take These Steps to Mitigate the Impact of Play Ransomware
The FBI, CISA, and ASD’s ACSC encourage organizations to implement the recommendations in the Mitigations section of the guide, #StopRansomware: Play Ransomware, to reduce the likelihood and impact of ransomware incidents. These include:
- Prioritize remediating known exploited vulnerabilities.
- Enable and require multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
- Keep all operating systems, software, and firmware up to date. Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.
Additionally, maintaining offline backups of data and implementing a recovery plan are high priorities for mitigating ransomware events.
In 2021, the U.S. Government launched a website to help public and private organizations defend against the rise in ransomware cases. Learn more about it on our blog.
For more information about mitigating ransomware and other cybersecurity threats, contact the privacy and security experts at info@privaplan.com or call 877-218-7707.
