Play Ransomware Targets Victims Via MSPs’ RMM Software

The Play ransomware operators who took credit for the attack on the city of Oakland, California, in February is now targeting midsize enterprises through their managed service providers (MSPs).

According to researchers with Adlumin, the global campaign featuring the ransomware – also known as PlayCrypt – is targeting government agencies and organization in such sectors as legal, finance, logistics, and software primarily by abusing remote monitoring and management (RMM) tools used the MSPs to access potential victims’ networks and systems.

They also are using other attack vectors, including unpatched Fortinet firewalls that are still vulnerable to three- to five-year-old vulnerabilities tracked as CVE-2018-13379 and CVE-2020-12812.

Adlumin’s report about the Play attacks come the same week the US Cybersecurity and Infrastructure Security (CISA) and companies in the private sector unveiled a plan to better secure RMM software, which a legitimate tool MSPs use to manage the IT infrastructure of their customers.

However, the same broad access that the software gives MSPs can also be exploited by threat actors if they can compromise the RMM tools. It’s a growing threat in the software supply chain that can allow to breach one MSP and rapidly extend its reach downstream to that service provider’s myriad customers, bypassing many security defenses.

RMM is the ‘Central Nervous System’

“RMM software serves as the central nervous system of modern-day service providers,” Kevin O’Connor, director of threat research at Adlumin, wrote in a report. “It gives users unfettered, privileged access to networks so operators can deliver seamless support and IT operation functions to a distributed cohort of customers. But the PlayCrypt ransomware group can utilize the same remote access capability to wreak havoc on mid-market firms.”

The group, which Adlumin says hit the scene in June 2022, uses double-extortion techniques – stealing victims’ files as well as encrypting them and threatening to publish the data if the ransom isn’t paid – and, according to O’Connor, has new tools and exploits that include ProxyNotShell, OWASSRF, and a Microsoft Exchange Server remote code execution (RCE).

The ransomware is “strongly associated” with a malware group called Balloonfly, he wrote.

A company last month was attacked last month by a threat actor that got into the IT environment by using the Play ransomware and the RMM software of the victim’s MSP. O’Connor wrote that the attacker got in either through compromised remote desktop software credentials or by exploiting a vulnerability in the software itself.

The Attack Unfolds

Once in the network, the bad actors move quickly to establish a presence in the system, leveraging a range of exploits like PowerShell scripts, Microsoft Server RCE, and batch files.

The attackers also go to great length to avoid detection and get around security tools. After getting root access through the exploits, they create administrator-privileged accounts that are used to disable protections, such as using the Windows registry to shut down Windows Defender.

They also camouflage their presence by replicating traffic patterns of legitimate users – making it difficult to security tools to differentiate the malicious activities from normal ones – and deleting signs they are in the system. In addition, they use tools like Mimikatz to grab usernames and passwords that are used to escalate privileges, move laterally through the network, and exfiltrate data.

Intermittent Encryption

The researchers also found that the Play ransomware uses intermittent encryption, a relatively new technique over the past couple of years that some groups – including BlackCat, Black Basta, and LockFile – use to encrypt only parts of each file in fixed blocks or at the beginning of the file.

The advantage is the attacker can more quickly encrypt files and to evade detection by security tools that use the amount of data being written to a disk to identify ransomware, CyberArk researchers wrote in a report in May. Ransomware-as-a-service groups also will use the ability to more quickly encrypt data as a selling point to convince affiliates to use their code instead of that of other RaaS providers.

However, intermittent encryption also leaves a portion of the file unencrypted, making it easier at times to recover the encrypted data. CyberArk researchers wrote a Python script they call White Phoenix to automate the data recovery process.

The Play group encrypts files in chunks of 0x100000 bytes, according to Adlumin.

The campaign has a long reach, targeting a broad array of organizations – including private companies and state, local, and tribal entities – in the United States, the UK, Australia, and Italy, O’Connor wrote.

Avatar photo

Jeffrey Burt

Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He’s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.

jeffrey-burt has 392 posts and counting.See all posts by jeffrey-burt