The cyber threat known as Play ransomware has shifted gears, now offered as a service to various threat actors, a recent revelation by Adlumin uncovered.
Adlumin’s report shared with The Hacker News highlights a distinct pattern across Play ransomware attacks, indicating they’re executed by affiliates following detailed instructions bundled with the ransomware-as-a-service (RaaS) package. These attacks, observed in different sectors, showcased nearly identical tactics, sequences, and maneuvers.
From concealing malicious files in the public music folder (C:…\public\music) to employing identical passwords for high-privilege account creation and executing identical commands, the consistency in methods pointed to a structured playbook guiding these assaults.
Originally emerging in June 2022, Play, also recognized as Balloonfly and PlayCrypt, exploited vulnerabilities in Microsoft Exchange Server, breaching networks through ProxyNotShell and OWASSRF, deploying remote administration tools like AnyDesk, culminating in the deployment of the ransomware. Setting itself apart, Play’s distinctiveness lay in its developers doubling as attackers and using tailored data gathering tools like Grixba for double extortion.
However, this recent evolution marks a shift, transforming Play into a full-fledged RaaS operation, amplifying its appeal among cybercriminals seeking lucrative options.
Adlumin warned of the lure these RaaS kits hold for novice hackers, providing comprehensive support, forums, technical assistance, and ransom negotiation guidance. This accessibility might entice script kiddies, potentially resulting in a surge of incidents, urging businesses and authorities to brace themselves for an impending wave of cyber threats.
Source – https://thehackernews.com/
