The Tactics of Play Ransomware Group: A Threat to IT Security
Ransomware Attack on Advanced Business Networks by Play Group
Company Profile
Advanced Business Networks (ABN), based in Illinois, USA, is a prominent IT consulting firm specializing in providing comprehensive IT services to small and mid-sized organizations across the Chicago area. With a team of 10 consultants, engineers, and technicians, ABN boasts over 100 combined years of IT experience. The company is known for its strategic partnerships with major IT corporations such as Microsoft, Intel, and Hewlett Packard, which provide them with early access to new products and advanced technical support.
ABN's services range from concept development through implementation to ongoing management and support, with a strong emphasis on security and managed services designed to protect and manage IT infrastructures.
Details of the Ransomware Attack
The ransomware group known as Play, which is linked to the Babuk code and primarily targets Linux systems, has claimed responsibility for the attack on ABN. The attack resulted in the compromise of various sensitive data types including client documents, payroll records, accounting data, and personal employee information.
Operational Tactics of Play Ransomware Group
Play ransomware, operated by Ransom House, has evolved from merely stealing data to using cryptographic lockers specifically designed for Linux systems. The group is known for its sophisticated approach to encrypting victim data and demanding ransom. They typically leave a ransom note titled "How To Restore Your Files.txt" with detailed instructions for victims on how to proceed.
The group's method of operation includes the use of advanced tools such as AnyDesk, NetCat, and encoded PowerShell Empire scripts, which are often submitted to VirusTotal, indicating their initial access and persistence mechanisms.
Potential Vulnerabilities and Entry Points
Given ABN's extensive use of various IT platforms and their significant online presence, it is plausible that Play may have exploited vulnerabilities in these systems or used phishing tactics to gain initial access. The specific vector used in this attack, however, has not been disclosed.
Sources
Disclaimer
The Halcyon Attacks Lookout Database is compiled using publicly available information based on the hosting choices of real-world threat actors and data from a variety of trackers. This information is provided in accordance with principles of fair use. Halcyon has made reasonable efforts to sanitize and verify the data; however, we do not guarantee the accuracy, completeness, or reliability of the information provided. Updates to the database are made as new source data becomes available from reputable sources. By accessing, viewing, or using the information within the Halcyon Attacks Lookout Database, you acknowledge and agree to do so entirely at your own risk. No reliance should be placed upon the information for decision-making, and Halcyon disclaims all liability for any inaccuracies or omissions in the data.
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!