Response to CISA Advisory (AA23-352A): #StopRansomware: Play Ransomware

AttackIQ has released a new attack graph in response to the recently published CISA Advisory (AA23-352A) which disseminates Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with the Play Ransomware group, identified through FBI investigations as recently as October 2023. Read More

On December 18, 2023, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA) to disseminate Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with the Play Ransomware group, identified through FBI investigations as recently as October 2023.

This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.

Play, also known as Playcrypt, is a ransomware that has targeted a wide range of businesses and critical infrastructure in North America, South America, and Europe since its discovery in June 2022.

Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.

AttackIQ has released a new attack graph that emulates the behaviors exhibited by the Play ransomware group with the aim of helping customers validate their security controls and their ability to defend against this recent threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against the behaviors observed during multiple activities carried out by the Play ransomware group.
  • Assess their security posture against an opportunistic adversary, which does not discriminate when it comes to selecting its targets.
  • Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.

[CISA AA23-352A] #StopRansomware: Play Ransomware

AA23-352A Attack Graph - Full(Click for Larger)

This attack graph emulates the different Tactics, Techniques, and Procedures (TTPs) observed in multiple activities associated with Play ransomware.

This emulation is based on the Cybersecurity Advisory (CSA) released by CISA and supported by a report published by Trend Micro on July 21, 2023.

AA23-352A Attack Graph - Stage 1(Click for Larger)

This emulation begins by downloading and saving the reconnaissance tool employed by the attacker, which is executed by injecting code into an active process or by executing a service. Once execution is achieved, the tool acquires persistence through the creation of a scheduled task.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Process Injection (T1055): This scenario injects a DLL file into another running process and validates if a canary file can be created.

System Services: Service Execution (T1569.002): This scenario will execute a new service using the SC Windows utility to execute a binary.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task named WindowsDefenderService using the schtasks utility.

AA23-352A Attack Graph - Stage 2(Click for Larger)

This stage focuses on the discovery of information related to the local environment and the network that the compromised system is part of. During these activities, the adversary obtains information about the compromised system, its users, active processes and services, available controllers, available network connections and information related to the associated domain controller.

System Information Discovery (T1082): This scenario queries the HKCU\Software\Microsoft\Windows\CurrentVersion registry key which contains information about the Windows system properties.

System Owner / User Discovery (T1033): Live off the land by running whoami and users to gain details about the currently available accounts and permission groups.

Process Discovery (T1057): Window’s built-in tasklist command is executed as a command process and the results are saved to a file in a temporary location.

System Service Discovery (T1007): Microsoft’s native sc utility is executed to query a list of all running services.

Query Registry (T1012): This scenario queries the MachineGuid value located within the HKLM\SOFTWARE\Microsoft\Cryptography registry key which contains the unique identifier of the system.

System Network Configuration Discovery (T1016): Native Window’s commands like route, ipconfig, and net use are executed to collect details about the infected host and network shares.

Remote System Discovery (T1018): This scenario executes the nltest command to gather a list of domain controllers associated with a domain.

Domain Trust Discovery (T1482): This scenario calls the native nltest utility with the /trusted_domains option to retrieve a list of trusted Active Directory domains associated with this host.

Remote System Discovery (T1018): Search for other domain computers using the net group command. If the activity is prevented, downloading, and leveraging the Adfind utility is attempted.

AA23-352A Attack Graph - Stage 3(Click for Larger)

This stage begins with the evasion of Windows Defender through the use of the registry to disable security features, such as the associated service and real-time monitoring.

After this, the emulation will deploy a sample of Mimikatz, which is followed by retrieving system credentials using an obfuscated version of the same.

Impair Defenses: Disable or Modify Tools (T1562.001): Uses PowerShell to set the DisableRealtimeMonitoring and DisableBehaviorMonitoring registry key that will prevent Microsoft Defender from running after next reboot.

Service Stop (T1489): The Windows Defender service is stopped by modifying the Start value within the HKLM\System\ControlSet001\Services\WinDefend registry key.

OS Credential Dumping (T1003): This scenario uses an obfuscated version of Mimikatz to dump credentials on Windows hosts.

AA23-352A Attack Graph - Stage 4(Click for Larger)

At this stage, the attacker will seek to deploy a variant of Cobalt Strike Beacon in order to establish communications between the compromised system and its infrastructure. In case of failure, the attacker will resort to deploying SystemBC, also known as Coroxy.

Finally, using the credentials acquired in the previous stage, the attacker will attempt to move laterally to additional systems available on the network.

Remote Services: Remote Desktop Protocol (T1021.001): Remote Desktop is the built-in remote access utility used by Windows. This scenario attempts to remotely connect to another accessible asset with stolen credentials.

In the last stage, the attacker will aim to delete the Windows Event log using wevtutil.exe.

Once this is accomplished, Play Ransomware will be deployed, which will continue with the tampering of the Volume Shadow Copy (VSC) using vssadmin.exe, before the collection and encryption of the compromised system’s files.

Indicator Removal: Clear Windows Event Logs (T1070.001): The scenario will use the wevtutil.exe binary to clear event logs from the system.

Inhibit System Recovery (T1490): Runs vssadmin.exe to delete a recent Volume Shadow Copy created by the attack graph.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithms observed in Play ransomware.

AA23-352A Attack Graph - Stage 5(Click for Larger)

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Process Injection (T1055):

Malware will commonly inject malicious code into legitimate running processes to attempt to blend in with legitimate applications to remain hidden and appear normal to the compromised system.

2a. Detection

Searching for common processes that are performing uncommon actions can help identify when a process has been compromised.

2b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

3. Scheduled Task/Job: Scheduled Task (T1053.005)

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.

3a. Detection

With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task

Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Scheduled Task

4. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

4a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

4b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery


In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the recent activities carried out by the Play ransomware group. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.