‘Play’ Ransomware Group Targeting MSPs Worldwide in New Campaign
The fast-rising Play ransomware group that targeted the City of Oakland earlier this year is now hitting managed service providers (MSPs) around the globe in a cyberattack campaign to distribute ransomware to their downstream customers.
One troublesome aspect of the campaign is the threat actor’s use of intermittent encryption — where only parts of a file are encrypted — to try and evade detection.
Wide Range of Victims
Play’s targets appear to be midsized businesses in the finance, legal, software, shipping, law enforcement, and logistics sectors in the US, Australia, UK, Italy, and other countries, Adlumin said in a report this week. Researchers at Adlumin who are tracking the campaign as PlayCrypt say the attacker is also targeting state, local, and tribal entities in these countries as well.
As with other attacks involving MSPs, the Play or PlayCrypt group breaks into MSP systems and uses their remote monitoring and management (RMM) tools to get unfettered access to the networks and systems of customers of the MSPs. It is a tactic that other threat actors have used with substantial impact. The most notable example remains the REvil ransomware group’s attack on multiple MSP via vulnerabilities in Kaseya’s Virtual System Administrator (VSA) network monitoring tool. The attack resulted in the encryption of data on the systems of more than 1,000 customers of these MSPs.
Kevin O’Connor, director of threat research at Adlumin, says his company’s research shows the threat actors gain access to privileged management systems and RMM tools via a phishing campaign that targets employees at MSPs. “[This] leads to compromise of their systems and access either through direct exploitation or credential harvesting and reuse” he says.
Many Exploits, Including via Microsoft Exchange
Once the Play actors gain access to a customer environment — via the victim’s MSP — they move quickly to deploy additional exploits and broaden their foothold, Adlumin said in a report this week. In some cases, they have exploited vulnerabilities in Microsoft Exchange Server. Examples include CVE-2022-41040, a privilege escalation bug that attackers were exploiting before Microsoft had a fix for it and