Play ransomware on the rise, warns FBI, but research points to yet more hidden dangers

As the FBI and Cybersecurity & Infrastructure Security Agency issue a joint warning to businesses about the Play ransomware group, ESET research reminds us that ransomware isn’t the only fruit.

The FBI, CISA and the Australian Cyber Security Centre (ACSC) have published a joint advisory that warns organisations of the threat from ransomware group Play and exposes the indicators of compromise that security teams should look out for.

According to the report, the Play ransomware group used compromised credentials and vulnerabilities in public-facing applications, such as FortiOS and Microsoft Exchange. It also took advantage of Remote Desktop Protocol (RDP) for initial access.

Play then uses double-extortion techniques to pressurise organisations into paying their demands. Any organisation that does not pay a demand will have its data published on Play’s Tor leak site.

Simon Lawrence, Director and Co-Founder of i-confidential, says that while these tactics, techniques and procedures (TTPs) “mirror the TTPs of other ransomware gangs, it once again highlights the importance of securing employee login credentials”.

Both the government agencies and Lawrence recommend multi-factor authentication (MFA) as the primary defence as it makes it harder for any threat actors to gain access even if they have the stolen credentials to begin with.

“Criminals frequently spoof the login pages of MFA tools,” Lawrence adds, “so employees must also be taught to look out for these, such as verifying the URL of a page or looking out for suspicious imagery, before entering their details.”

ESET: ransomware not the only threat

But, as a threat report published by ESET today warns, ransomware is not the only threat. Although the Cl0p ransomware group features highly, using a vulnerability in the MOVEit file transfer app, this wasn’t ransomware as we know it, relying solely on threats to expose exfiltrated data.

“The Cl0p attack targeted numerous organisations, including global corporations and US governmental agencies,” says ESET Director of Threat Detection Jiří Kropáč. “A key shift in Cl0p’s strategy was its move to leak stolen information to public websites in cases where the ransom was not paid, a trend also seen with the ALPHV ransomware gang.”

The ESET report also highlights the prevalence of a new threat for users of IoT devices, meaning everything from smart TVs to mobile devices, whereby Android devices are being used to power denial of service attacks using Android/Pandora malware.

Talking of Android, SpinOK is distributed as a software development kit that’s found in legitimate applications, but is actually spyware.

And let’s not forget ChatGPT, which threat actors are using as bait to lure victims to malicious domains that have names close resembling the OpenAI AI service of the moment.