The Play Ransomware is unfortunately nothing to be lax about. It has not only created headlines for the wrong reasons but also attacked numerous systems in much of the developed world. Three law enforcement agencies in the USA and Australia issued advisories regarding Play ransomware. Among them are the
- Federal Bureau of Investigation (FBI).
- Cybersecurity and Infrastructure Security Agency (CISA).
- Australian Cyber Security Center (ACSC) of the Australian Signals Directorate.
The FBI revealed information about Play ransomware that it created around 300 victims between June 2022 and October 2023. Among them are a wide range of businesses and key infrastructure across Europe, and North and South America. Some victims were reported in Oceania, particularly in Fiji, New Zealand, and Australia.
What is the purpose of the joint advisory? And what is the modus operandi of such ransomware?
The joint advisory provided people with a list of tools used by the play ransomware group. However, it also includes a list of attack vectors used frequently to exploit vulnerabilities. They include
- Abuse of valid accounts.
- Exploitation of public-facing apps.
- ProxyNotShell is being used.
Once it enters a network, attackers use specialized tools. These tools can disable anti-virus, malware defense, and other cyber security mechanisms. It will also remove the log files. Then it starts hunting for valuable data. Preparing the encryption also starts at that time too. In most cases, such behavior requires a dedicated security team or an external agency that can help in this regard.
What do recent reports state?
Recent reports say that Play Ransomware climbed from sixth to third in the list of groups having the highest number of known attacks. Unfortunately, this ransomware group made a name for itself anad a lot of bad headlines since August last year.
Play ransomware also works as a double extortion group. It not only has been stealing data but also encrypted systems. This later gives them the base to threaten users for publishing the stolen data on the Dark Web. They even operate a series of websites on the dark web.
Why was the joint CSA even issued?
The joint CSA was issued to emphasize the importance of having an actionable recovery plan. Moreover, it even stressed using multi-factor authentication (MFA) for authenticating logins, and keeping up-to-date with all firmware, operating systems, and software.
The Federal Bureau of Investigation (FBI) wants people to know that it seeks any information that can be shared. Among them are:
- Boundary logs
- Communication logs going to and coming from foreign IP addresses.
- Any ransom note.
- Communications made by Play ransomware actors.
- Information about Bitcoin Wallets.
- Decryptor files.
- Benign samples of encrypted files.
These are the information that can be stolen by Play Ransomware runners. This information is used to pave the way for ransomware Play to wreak havoc.
In what ways can ransomware be avoided?
Here are some worthwhile tips that can help both individuals and companies alike avoid ransomware at all costs. They are as follows:
- Blocking any and all common forms of entry: Cybersecurity teams must have a plan for patching vulnerabilities in systems.. Disabling and hardening remote access is a must, especially RDP and VPNs.
- Preventing intrusions: Stop threats early before they can infiltrate/infect the endpoints. Using endpoint security software that can prevent exploits and also stop malware from delivering ransomware.
- Detecting intrusions: It should be made harder for intruders to operate inside the company by making segments among the networks and access rights assigned prudently to the right kind of people. Using either EDR, MDR, or both to detect unusual activity before an attack happens works a lot.
- Stopping malicious encryption in its tracks: Deploying Endpoint Detection and Response Software can help. These methods and tech utilize multiple detection techniques of different natures for the identification of ransomware and also provide ransomware rollback. The latter helps restore system files damaged due to a ransomware attack.
- Making backups that are offline and off-site. This helps keep a safe stash of files beyond the reach of attackers. They should be tested regularly to ensure some essential business functions are restored with ease.
- No need to get lax and be attacked again. Lightning may not strike the same place twice. However, it is wise to isolate the outbreak and stop the first attack. The traces left by attackers should be removed along with their tools, malware, and entry methods. This helps avoid people and companies face such attacks again.