Skip to content

G1040 Play

Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.12

Item Value
ID G1040
Associated Names
Version 1.0
Created 24 September 2024
Last Modified 02 October 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility
Play has used WinRAR to compress files prior to exfiltration.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Play has used Base64-encoded PowerShell scripts to disable Microsoft Defender.2
enterprise T1059.003 Windows Command Shell
Play has used a batch script to remove indicators of its presence on compromised hosts.2
enterprise T1030 Data Transfer Size Limits Play has split victims’ files into chunks for exfiltration.12
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware Play developed and employ Playcrypt ransomware.21
enterprise T1048 Exfiltration Over Alternative Protocol Play has used WinSCP to exfiltrate data to actor-controlled accounts.12
enterprise T1190 Exploit Public-Facing Application Play has exploited known vulnerabilities for initial access including CVE-2018-13379 and CVE-2020-12812 in FortiOS and CVE-2022-41082 and CVE-2022-41040 (“ProxyNotShell”) in Microsoft Exchange.12
enterprise T1133 External Remote Services
Play has used Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.12
enterprise T1083 File and Directory Discovery Play has used the Grixba information stealer to list security files and processes.2
enterprise T1657 Financial Theft Play demands ransom payments from victims to unencrypt filesystems and to not publish sensitive data exfiltrated from victim networks.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools
Play has used tools including GMER, IOBit, and PowerTool to disable antivirus software.12
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs Play has used tools to remove log files on targeted systems.12
enterprise T1070.004 File Deletion Play has used tools including Wevtutil to remove malicious files from compromised hosts.2
enterprise T1105 Ingress Tool Transfer Play has used Cobalt Strike to download files to compromised machines.2
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation Play has used Base64-encoded PowerShell scripts for post exploit activities on compromised hosts.2
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Play has used multiple tools for discovery and defense evasion purposes on compromised hosts.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Play has used Mimikatz and the Windows Task Manager to dump LSASS process memory.2
enterprise T1057 Process Discovery
Play has used the information stealer Grixba to check for a list of security processes.2
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Play has used Cobalt Strike to move laterally via SMB.2
enterprise T1018 Remote System Discovery Play has used tools such as AdFind, Nltest, and BloodHound to enumerate shares and hostnames on compromised networks.2
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery
Play has used the information-stealing tool Grixba to scan for anti-virus software.1
enterprise T1082 System Information Discovery
Play has leveraged tools to enumerate system information.2
enterprise T1016 System Network Configuration Discovery
Play has used the information-stealing tool Grixba to enumerate network information.1
enterprise T1078 Valid Accounts Play has used valid VPN accounts to achieve initial access.1
enterprise T1078.002 Domain Accounts Play has used valid domain accounts for access.2
enterprise T1078.003 Local Accounts Play has used valid local accounts to gain initial access.2

Software

ID Name References Techniques
S0552 AdFind 12 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S0521 BloodHound 2 Domain Account:Account Discovery Local Account:Account Discovery Archive Collected Data PowerShell:Command and Scripting Interpreter Domain Trust Discovery Group Policy Discovery Native API Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Remote System Discovery System Owner/User Discovery
S0154 Cobalt Strike 2 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0363 Empire 2 Bypass User Account Control:Abuse Elevation Control Mechanism SID-History Injection:Access Token Manipulation Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Local Account:Create Account Domain Account:Create Account Windows Service:Create or Modify System Process Keychain:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain or Tenant Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow DLL:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0002 Mimikatz 2 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Golden Ticket:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0359 Nltest 2 Domain Trust Discovery Remote System Discovery System Network Configuration Discovery
S1162 Playcrypt 12 Data Encrypted for Impact File and Directory Discovery Inhibit System Recovery
S0029 PsExec 1 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0645 Wevtutil 2 Data from Local System Disable Windows Event Logging:Impair Defenses Clear Windows Event Logs:Indicator Removal

References

  1. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024. 

  2. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.