September 22, 2023

Researchers have spotted a threat actor used PlayCrypt to leverage Remote Monitoring and Management (RMM) software used by service providers to gain direct access to a customer’s environment, bypassing most of its defenses.

The PlayCrypt ransomware group initially spotted in June last year and believed to be affiliated with the Balloonfly malware group, can utilize the remote access capability to wreak havoc on mid-market firms. It employs double-extortion tactics, stealing victim data before encrypting their networks.

PlayCrypt expanded its toolkit with new tools and exploits like ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution. They usually use RDP as a vector for network infiltration, they can also use FortiOS vulnerabilities (CVE-2018-13379 and CVE-2020-12812), and other compromised software in the supply chain.


The recent incident involving PlayCrypt ransomware, researchers believe there were at least two potential methods of intrusion. The first possibility is that the hackers gained access through compromised remote desktop software credentials. The second is that they may have exploited a vulnerability in the software itself.


Once intruding into the network, attackers can move quickly to deploy more exploits to gain a solid foothold on the system. These exploits include PowerShell scripts, Microsoft Server Remote Code Execution, and batch files.

Defense Evasion

Once after gaining the root access, threat actors begin creating admin-privileged accounts that can be used to disable security tools. Adversaries can also replicate the traffic patterns of legitimate users, thereby making it complicated for network security tools to discern between malicious and normal activities. During the defense evasion stage, threat actors can also delete signs that they are in the system to throw off cybersecurity teams.


Credential Access

To evade detection, threat actors incorporate the use of tools such as Mimikatz to extract credentials. These compromised usernames and passwords are subsequently exploited to escalate privileges, execute lateral movement across the network, and facilitate data exfiltration.

Overcoming the Attack

The researchers were successful in detecting and stopping malicious activity when PlayCrypt ransomware was used. As a result of the detections and SOAR actions taken, the MDR team immediately received notifications and started to investigate further and take additional mitigation actions. C2 systems activity was also detected.

This information allowed an analyst to gather information on the hacker’s location through IP and geolocation. Finally, analysts found that the hacker(s) also deleted volume shadow copies to prevent the customer from restoring from backups.

The ransomware group is the first to employ intermittent encryption – a technique that partially encrypts files in chunks of 0x100000 bytes to evade detection. Once in a network, threat actors utilize “lolbins” binaries in the ransomware attacks. They distribute executables through Group Policy Objects, employing scheduled tasks, PsExec, or WMIC. Upon achieving full network access, they encrypt files with the “.play” extension.

This research was documented by the researchers from Adlumin

Indicators of Compromise

Leave a Reply

%d bloggers like this: