The Play ransomware, a threat actor that emerged about a year and a half ago, has claimed around 300 victims so far, including some organizations with critical infrastructure, according to a new joint advisory published by the FBI, CISA and Australia's Signals Directorate. That's what Cyber Security Center claimed.
“Since June 2022, the Play (also known as Playcrypt) ransomware group has affected a wide range of businesses and critical infrastructure in North America, South America and Europe,” the consultancy said. is reading. “As of October 2023, the FBI was aware of approximately 300 affected entities that were allegedly being exploited by the ransomware actors.”
Although Play ransomware does the same things as other operators (steal and encrypt sensitive data), it has a few unique features: BleepingComputer reports. For example, it will not communicate with its victims via Tor, but via email. Moreover, it uses a custom VSS Copying Tool, which helps retrieve files found in shadow volumes even if they are used by applications at the time of encryption.
Keep safe
Existing known victims include the city of Oakland in California, the city of Antwerp in Belgium and cloud computing giant Rackspace.
The joint advisory also urges organizations to keep their endpoints secure by following security best practices. These include keeping all software and hardware up to date and ensuring that all urgent security patches, which typically address known and exploited vulnerabilities, are applied as quickly as possible.
In addition, companies are urged to keep their passwords fresh and strong and use multi-factor authentication (MFA) where possible.
Finally, companies are advised to educate their employees about the dangers of phishing and social engineering. After all, most cyber attacks start with a seemingly benign email or instant message on one of today's most popular networks (LinkedIn, X and others), delivering malware that gives attackers access to the system.