Play Ransomware Goes Commercial

12304219682?profile=RESIZE_400xThe ransomware strain known as Play is now being offered to other threat actors "as a service."  The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the Ransomware-as-a-Service (RaaS) and are following step-by-step instructions from playbooks delivered with it.

Cybercriminals are increasingly finding it just as lucrative to hire their toolkits out to other crooks so they can launch attacks of their own.  Investigators have found that Play’s fees ranged from $200 for simple “set-up assistance” to fully outfitted toolkits “ready for deployment” in excess of $1,000.

The findings are based on Play ransomware attacks tracked by researchers spanning different sectors that incorporated almost identical tactics and in the same sequence.  This includes the use of the public music folder (C:\...\public\music) to hide the malicious file, the same password to create high-privilege accounts, and both attacks, and the same commands.[1]

Play, also called Balloonfly and PlayCrypt, was first reported in June 2022, leveraging security flaws in Microsoft Exchange Server i.e., ProxyNotShell and OWASSRF to infiltrate networks and drop remote administration tools like AnyDesk and ultimately deploy the ransomware.  Besides using custom data gathering tools like Grixba for double extortion, a notable aspect that set Play apart from other ransomware groups was the fact that the operators in charge of developing the malware also carried out the attacks.

Based on recent attacks small and mid-sized organizations are being targeted and are especially at risk.  However, some ransomware delivered as a service can often be easier to detect because of the common methods used to deploy it and cyber threat professional share their knowledge of it to group members.

The new development, therefore, marks a shift and completes its transformation into a RaaS operation, making it a lucrative option for cybercriminals.  When RaaS operators advertise ransomware kits that come with everything a hacker will need, including documentation, forums, technical support, and ransom negotiation support, script kiddies will be tempted to try their luck and put their skills to use.  Businesses and authorities should take note and prepare for a growing wave of incidents thanks to the ease of unsophisticated hackers buying new attack software.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or   

Weekly Cyber Intelligence Briefings:




Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!