Play Ransomware Intrusion Thwarted by Trend Micro

The Play ransomware gang, known for its pervasive cyberattacks since June 2022, was effectively countered by Trend Micro's Managed Detection and Response (MDR) team. According to a report by Trend Micro, this group has been implicated in numerous security breaches targeting entities across various sectors, underlining the gravity and reach of their operations. The Cybersecurity and Infrastructure Security Agency (CISA) noted in December 2023 in the agency's #StopRansomware series that, by October of that same year, approximately 300 entities had been exploited by these ransomware actors. Insights from Kroll indicate that the ransomware group utilized the Citrix Bleed vulnerability, CVE-2023-4966, in Citrix NetScaler ADC and Gateway to gain unauthorized access to networks. In terms of victimology, Kroll reports that the operators primarily target organizations located in North America and Europe across a wide range of industries.

The detailed sequence of malicious activities observed by Trend Micro began with the exploitation of compromised credentials. Intruders gained access through a victim's virtual private network (VPN). "The source host was identified as being from an IP address belonging to the victim’s virtual private network (VPN) subnet," reported Trend Micro incident response analyst Trent Bessell. The operators deployed SYSTEMBC malware into the "C:\Users\Public\Music" directory. This initial foothold was further complemented by the use of PsExec, dropped in the same directory as the SYSTEMBC malware. To facilitate the next stage of their attack, registry modifications were made using reg.exe to modify the RDP registry value "fdenyTSConnections" to enable RDP access.

The attack continued with the deployment of "GT_NET.exe," a tool used to gather information about "accessible hosts on the network," with the data collected and archived to "data.zip." An attempt was made to dump the LSASS process via Task Manager; however, it was blocked by Trend Micro's monitoring agent. Trend Micro's detection and response actions then notified the victim, thwarting the intrusion and preventing further damage.

Among the defensive strategies recommended by Trend Micro, the company echoes mitigation strategies suggested by government agencies such as the FBI, CISA, and ASD’s ACSC. These strategies include regularly updating and patching systems to close security vulnerabilities, implementing network segmentation to contain breaches, and enforcing the use of Multi-Factor Authentication (MFA) to enhance security. Additionally, continuous monitoring of network traffic helps detect and respond to potential threats swiftly. Organizations are also advised to maintain regular backups of critical data in secure, offsite locations to prevent ransomware from accessing them, and to deploy endpoint protection solutions to block malicious activities on devices.