CISA & FBI Issues Alert on Play Ransomware’s Growing Threat

Photo of author

By Muhammad Hussain

CISA, which is Cyber Security and Infrastructure Security Agency, FBI, known as the Federal Bureau of Investigation, and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) gave a joint warning to scatter TTPs and IOCs found as of late as October 2023 by the Play ransomware bunch.

A new joint cyber security advisory from Australia and the United States estimates that the Play ransomware’s threat actors have affected approximately 300 organizations as of October 2023.

“Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia,” authorities said

It’s noteworthy that ransomware assaults are progressively taking advantage of vulnerabilities instead of utilizing phishing emails as initial infection vectors, hopping from almost zero in the latter half of 2022 to close to a third in the initial half of 2023, per information from Corvus.

Network safety firm Adlumin, in a report distributed last month, uncovered that Play has evolved into a ransomware-as-a-service (RaaS) operation, as it is now being offered to other threat actors “as a service.”

Ransomware assaults coordinated by the group are portrayed by the utilization of public devices like AdFind (to run Dynamic Registry questions), Grixba (to specify network data and for gathering data about reinforcement programming), and IOBit, PowerTool, and GMER  (to impair antivirus programming). 

The danger actors have likewise been seen to complete sidelong development and information exfiltration and encryption steps, banking on SystemBC, Mimikatz, and Cobalt Strike for post-abuse.

“The Play ransomware group uses a double-extortion model, encrypting systems after exfiltrating data,” the agencies said. “Ransom notes do not include an initial ransom demand or payment instructions; victims are instructed to contact the threat actors via email.”

According to Malwarebytes statistics, Play is said to have asserted almost 40 casualties in November 2023 alone, essentially dragging along its friends BlackCat and LockBit (otherwise known as Noberus and ALPHV ).

The alert was issued just days after U.S. government agencies released an updated bulletin regarding the Karakurt group. This group is recognized for avoiding encryption-based attacks. Instead, it focuses on pure extortion once it gains initial access to networks, typically through methods such as purchasing stolen login credentials, utilizing intrusion brokers (also known as initial access brokers), engaging in phishing, and exploiting known security flaws.

“Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom,” the government said.

The improvements likewise come amid hypotheses that the BlackCat ransomware may have been an objective of policing after its dark web leak gateways went disconnected for five days. However, the outage was attributed to a hardware malfunction by the e-crime group.

“These cooperative ransom campaigns are rare but are possibly becoming more common due to the involvement of initial access brokers (IABs) collaborating with multiple groups on the dark web,” Resecurity said in a report published last week.

“Another factor that may be leading to greater collaboration is law enforcement interventions that create cybercriminal diaspora networks. Displaced participants of these threat actor networks may be more willing to collaborate with rivals.”


  • Consistently fix and update programming to their most recent versions and lead ordinary vulnerability evaluations.
  • Focus on known exploited vulnerabilities improvement.
  • Empower MFA (multi-factor authentication) for all administrations to the degree conceivable, especially for VPN, webmail, and accounts having access to basic frameworks.

To alleviate the chance and impact of ransomware flare-ups, organizations are energized by the CISA, FBI, or ASD’s ACSC to execute the proposals given in the Mitigations.

For more cyber security-related news, visit Daily Digital Grind!

Leave a Comment