Play ransomware infection routine

A ransomware gang named “Play” was discovered on the Dark Web. Along with them, a list of 22 victims has been revealed. There is a piece of evidence that points to a possible connection between Play ransomware and Quantum ransomware, which is an offshoot of the notorious Conti ransomware group. The Cobalt Strike beacons that were used in Play’s attacks bear the same watermark, 206546002, as those previously dropped by Emotet and SVCReady botnets that have also been observed in Quantum ransomware attacks. This suggests that the two ransomware groups share some of the same infrastructure. Play Ransomware specifically targets backup solutions in order to ensure that the victim has no other option to recover the data. Play group is particularly methodical in developing and implementing backup removal techniques. Here’s a blog post on the infection routine and backup environment attack method.


Play ransomware infection routine:

Malware (ransomware included) is mainly proliferated using phishing and social engineering techniques. Malicious programs are typically disguised as or bundled with ordinary software/media.

Here are the TTPs and tools used by the Play ransomware crew (from Monaco Cyber Sécurité’s Security Operation Center – CTI, thanks to my mate Anasse):

  • Initial Access: gains initial access through valid accounts (VPN, exposed RDP, etc.) and by exploiting FortiOS vulnerabilities CVE-2018-13379 and CVE-2020-12812. They have been known to use compromised valid accounts or exploit unpatched Fortinet SSL VPN vulnerabilities to gain access to an organization’s network.
  • Execution: uses the Empire, SystemBC and Cobalt Strike post-exploitation frameworks, PsExec, creation of GPOs to deploy scheduled task from the AD and batch files.
  • Privilege escalation: uses Nekto/PriviCMD, Mimikatz and WinPEAS.
  • Persistence: uses scheduled tasks and valid accounts.
  • Defense Evasion: uses tools such as Process Hacker, GMER, IOBit, and PowerTool to disable antimalware and monitoring solutions. The group uses .bat script and wevtutil to remove indicators of its presence, such as logs in Windows Event Logs or malicious files. It disables Windows Defender protection capabilities through PowerShell or command prompt.
  • Credential Access: uses Mimikatz to dump credentials, executed as module of Cobalt Strike and Empirer.
  • Discovery: uses common ADFind, Nltest and Bloodhound tool for enumerating system and domain information.
  • Lateral Movement:
    o uses Cobalt Strike SMB beacon as a C&C beacon, a method of lateral movement, and a tool for downloading and executing files;
    o uses SystemBC, a SOCKS5 proxy, for backdooring mechanisms;
    o uses Empire for post-exploitation activity;
    o uses Mimikatz to dump credentials and gain domain administrator access on victim networks to conduct lateral movement.
    Collection: archives collected data using WinRAR
  • Exfiltration: uses WinSCP, an SFTP client and FTP client for Microsoft Windows. They use the remote tool WinSCP for data exfiltration, and Task Manager for Local Security Authority Server Service (LSASS) process dumping and credential cracking.


Play ransomware’s infection chain:

The ransomware executable is distributed via Group Policy Objects (GPO), then run using scheduled tasks, PsExec or wmic.

Source Trend Micro @ 2022
Here’s the Playbook of Play Ransomware by Trend.

My Vanguard mate (Julien Mousqueton) added yesterday the scrapped of Play in the ransomware leak site (based on Ransomwatch).


Backup environment:

Play ransomware specifically targets backup solutions in order to ensure that the victim has no other option to recover the data. Play group is particularly methodical in developing and implementing backup removal techniques. Play’s tactics are based on utilizing the skills of their network intruders or “pentesters” in order to ensure to target on-premise and cloud backup solutions.

Full analysis:

The full analysis is available below and it is based on actual proactive victim breach intelligence and subsequent incident response, especially on the forensic of the backup environment (not a simulated or sandbox environment). Play ransomware’s approach is similar to the Conti ransomware cartel. Backups are now target number 1, and attack skills on the backup environment are more and more advanced.

Play ransomware hunts for Backup privileged users and services and leverages to access, exfiltrate, remove and encrypt backups to ensure ransomware breaches are un-”backupable”. This way, Play simultaneously exfiltrated the data for further victim blackmailing, while leaving the victim with no chance to quickly recover their files as the backups are removed.

Play initiates their attacks in the backup environment with stuff in or NOT in the Active Directory Domain. Basically, Play does focus on Password Management tools such as KeyPass. So, segment your passwords into different Passwords Management tools (especially local accounts and CISO/Security Officer accounts). Never leave your Password Management tool open on your workstation, and never store it on the Filer Servers.

Play’s “backup removal solutions” begin on the team development level. While selecting network intruders for their divisions also known as “teams”, Play is particularly clear that experience related to backup identification, localization, and deactivation is among their top priorities for a successful pentester. This backup focus implemented within the partnership-building process (the same approach as Conti) enables Play to assemble teams, equipped with knowledge and skills aimed at backup removal.

The most novel tactics developed by such teams are centered around all Backup solutions and appliances. Pay special attention to the speeches of publishers and manufacturers, keep in mind everyone is equal in front of cyberattacks and each situation is different.

Key Takeaways (Play ransomware):

  • Backup data encryption “.PLAY” (AD domain or NOT),
  • Focusing on Password Management tools such as KeyPass for example to find Local Accounts,
  • Removing Backup data since Management/Administration interface via an AD domain account or Local account (targeted attack on Management/Administration interfaces),
  • Change to the handling of NTP time sources (clock) then exploiting immutability,
  • Skills to empty the headers of backup hardware and appliances (knowledge for each vendor),
  • Enabling others protocols on Backup hardware and appliances (CIFS/NFS) in order to bypass proprietary and secure protocols and for all storage manufacturers. Then mapping a network drive to the share, mtree, etc.,
  • Lateral Movement,
  • Erasing data on tapes (in the library) and installing another Backup software to do it directly on the Backup server if the first backup software is protected (a Tape library is connected with FC or SAS on a physical server).


Secure Backup is your last line of defense:

Defense-in-depth – target to hit:

First, respect this rule: 3-2-1-1-0 (with Trusted Immutability, one Offline Backup, and Backup Verification).

Second, protecting your Backup Server and integrating Trusted Repository Storage, Offline Backup (Tape, example: Quantum Active Vault) or Dell EMC Cyber Recovery (air-gapped backup through a sanctuary), or Immutable (Immutable Backup feature, Retention Time Lock with ExaGrid, Retention Lock with Dell EMC DataDomain, Snapshot feature in Quantum’s DXi appliance, HPE StoreOnce with Data Immutability, Object Lock with Object Storage solution such as Dell EMC ECS or DataCore SWARM, or Wasabi, etc.), Hardening (server, storage, OS..). Enabling snapshot protection such as Pure Storage Safe Mode or Dell EMC Secure Snap. Maintaining developed protocols of access rights hierarchy, Zero Trust, network security (segmentation, VLAN dedicated for Backup components), Backup environment not integrated into the domain (100% of attacks exploits a weakness of the Active Directory), and password hygiene, take care of your Local Accounts & segment your passwords into different Passwords Management tools (especially local accounts and CISO/Security Officer accounts). Enabling double-authentication on the management interface (storage hardware, appliances, etc.). Never leave your Password Management tool open on your workstation, and never store it on the Filer Servers. Protect your NTP. Anonymizing the name of backup servers and repositories – and the name of service accounts, creating a HoneyPot backup environment, creating fake backup services accounts without permissions (svc_backup and with all backup vendors) then monitoring them with AD alerting in real-time solution (such as Netwrix, Varonis, Tenable.AD), as well as systemic network monitoring aimed at spotting abnormal network behavior may significantly reduce the chances of Pay successfully removing backups. Secure backup solutions and mitigations listed will enable any possible victims to leave Pay without their demanded ransom money. Keep in mind backup is a building block of the cybersecurity ecosystem.

Important: In some scenarios, we saw when the ransomware did not encrypt ‘enough’ parts in bigger files.

It is not possible to predict if the Play ransomware code (active since at least mid-July 2022 only) actually encrypts all the files, or encrypts bigger portions of some random files and almost nothing of some other files based on its own logic (like ‘not more than X seconds spent on one file’).

It is still worth trying to check more backup files, but it’s only about the time needed for getting the headers and checking them with a chance something can be restored from there, and time that can be used to rebuild that infrastructure.

You can get headers of multiple files, Backup solution vendor can check all of them.


How to recover? First 48 hours crucial:

    -CERT or INSURER: Get experts on the phone fast to assess what should be considered,
    -Forensics Expert: Assessing the damage caused by a third party and if the attacker is still in the infrastructure,
    -Law Enforcement: Make sure the correct law enforcement bodies have been notified,
    -Backup Vendor: The current state of the backups is crucial for recovery and for forensics experts to find potential entry points. A company like Monaco Digital can manage the Backup Team (stream) during a cyber crisis (forensic on the backup environment, analyzing the logs, identifying safe assets, understanding the lateral movement of the attackers, rebuilding a circumstance backup environment that respects the best practices, etc.), then collaborate with the Crisis Team and the Global Forensic Team,
    -Partners with knowledge: Recovering from a ransomware attack is a marathon not a sprint! Make sure you help your IT departments with strong partners (such as Monaco Digital and Monaco Cyber Securité for example).



Cobalt Strike download
Cobalt Strike C&C
Cobalt Strike C&C
Cobalt Strike C&C
Cobalt Strike C&C
Exfiltration C&C Server



Identify a piece of malware with Yara: Blog Post
Building a SOC: Blog Post
List of vendors and software affected by the OpenSSL vulnerability: Blog Post
Critical OpenSSL Vulnerability version 3.0: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post

Please follow and like us:

Enjoy this blog? Please spread the word :)