Skip to content

Title: Understanding the Latest Ransomware Attack: Key Insights

Understanding the looming danger posed by persisting Play ransomware attacks is crucial. Here's a breakdown of the situation:

Title: The Quirky Keyboard: A Typist's Tale of Cutout Letters
Title: The Quirky Keyboard: A Typist's Tale of Cutout Letters

Title: Understanding the Latest Ransomware Attack: Key Insights

With fresh reports indicating that the ransomware cyberattack threat isn't fading anytime soon, even notorious groups like LockBit, thought to have disbanded after law enforcement disruptions, are planning a comeback in just a few weeks. Meanwhile, a new analysis has shed light on the looming danger posed by ongoing Play ransomware attacks. Here's the lowdown.

The Play Ransomware Menace

AhnLab's research team has delved into the intricacies of the Play ransomware threat, first detected in 2022, responsible for over 300 successful attacks globally. Named for its usage of a ".PLAY" extension for encrypted files, this malware is reportedly in active use, a potential weapon in the arsenal of North Korean state-sponsored attack group, Andariel, part of the Democratic People’s Republic of Korea's “Reconnaissance General Bureau.”

The methods these ransomware actors employ to infiltrate target networks primarily involve exploiting valid accounts or attacking vulnerabilities in exposed services. Microsoft's ProxyNotShell Exchange Server vulnerabilities (CVE-2022-41040, CVE-2022-41082) and Fortinet's FortiOS vulnerabilities (CVE-2020-12812, CVE-2018-13379) are among those known to have been utilized. Hence, prompt patching of these vulnerabilities is critical.

Play attackers gather system and port information through port scanning methods, subsequently collecting Active Directory information to identify potential attack paths for privilege escalation. This privilege escalation grants admin access, enabling credential information theft for lateral movement and eventual domain environment control.

FBI-Endorsed Ransomware Attack Defenses—Play Included

The ransomware threats posed not only by state-sponsored Play attacks but also by ransomware-as-a-service and double-extortion techniques necessitate attention and action from organizations everywhere. The FBI has issued a cautionary alert to users and recommended countermeasures, including:

  1. Install Updates: Regularly update operating systems, software, and firmware as soon as updates are released.
  2. Enable Secure Authentication: Leverage phishing-resistant, non-SMS-based multi-factor authentication.
  3. Educate Userbase: Empower users to recognize and report phishing attempts.

Play ransomware maneuvers to evade detection using legitimate tools such as Process Hacker, rendering detection difficult. Many of these tools, while nonexistent in their malicious forms, share the ability to function legitimately, making them hard to categorize. Ultimately, Play ransomware attacks aim to encrypt systems while exfiltrating information to bolster extortion demands via leak sites.

[1] "Analysis Reveals Play Ransomware Bypasses Windows Security Features," AhnLab, https://securitylab.ahnlab.com/research/22-804/[2] "Protecting Against Ransomware Attacks," Federal Bureau of Investigation, https://www.fbi.gov/topics/cyber/protecting-against-ransomware[3] "Play Ransomware Detection and Prevention Using AhnLab EDR," AhnLab, https://securitylab.ahnlab.com/research/22-770/[4] "CVE Details - CVE-2022-41040: Microsoft Exchange ProxyLogon," CVE Details, https://cvedetails.com/cve/CVE-2022-41040/

  1. AhnLab's research team has done a comprehensive analysis on the Play ransomware threat, first detected in 2022, which is responsible for numerous successful attacks globally.
  2. To combat the ongoing Play ransomware attacks, the FBI has endorsed several defense strategies, including regularly updating operating systems and enabling secure authentication.
  3. The Play ransomware uses legitimate tools like Process Hacker to evade detection, making it difficult to distinguish between legitimately used tools and malicious ones.
  4. The Play ransomware attackers use various methods to infiltrate systems, such as exploiting valid accounts or attacking vulnerabilities in exposed services, like Microsoft's ProxyNotShell Exchange Server vulnerabilities.
  5. AhnLab's research also revealed that the infamous Balloonfly and Playcrypt ransomware share similarities with the Play ransomware, indicating a possible connection between these threats.

Read also:

    Comments

    Latest