I came across what appears to be a new ransomware variant last month during an IR engagement (June 2022). While I’m unable to determine attribution or affiliation at this time, my hope that sharing TTP and IOC related to .PLAY ransomware will help map information around this new variant by other responders and threat researchers.
At the time of this post, the only public information I was able to come across related to .PLAY ransomware was a post on bleepingcomputer.com: Play Ransomware (.play) Support Topic – Ransomware Help & Tech Support (bleepingcomputer.com). The incident I responded to was a few days after this post was made. In my incident, no communication was made with the threat actors and ransom amounts are unknown.
.PLAY Ransomware Summary
Threat actors exploited the well documented Fortigate firewall vulnerabilities to gain initial access over the Fortigate SSL-VPN. After gaining initial access threat actors achieved privilege escalation and ransomware deployment in less than 24 hours.
TTPs and IOCs
- C:\PerfLog directory was used as their staging directory for malicious tools
- Rubeus activity was observed, likely for priv esc. GhostPack/Rubeus (github.com)
- No C2 traffic or tooling was detected. All actions were carried out over the VPN and through RDP.
- Ransomware execution was carried out through scheduled tasks as well as direct command line execution.
- Ransomware Hashes
- Filenames ppp.exe and zxc.exe
- SHA256: dd101db5d9503f33a0c23d79da3642e999375748f7c1532e98c813b114bdfa1a
- Initial Access IPs
- 139.177.192[.]90
- 84.32.190[.]6
- Ransom Note ReadMe.txt
- gmx.de email address and the word “PLAY”. Note, the email in this incident was not the same as the bleeping computer post, but both used the gmx.de domain.
Feel free to reach out to me on twitter (@nate2x4) if you come across any more information about this ransomware.