{"id":48314,"date":"2022-09-06T00:00:00","date_gmt":"2022-09-06T00:00:00","guid":{"rendered":"urn:uuid:3f8a1737-07cb-8a44-814a-ebfc09a545fd"},"modified":"2022-09-06T00:00:00","modified_gmt":"2022-09-06T00:00:00","slug":"play-ransomwares-attack-playbook-unmasks-it-as-another-hive-affiliate-like-nokoyawa","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/play-ransomwares-attack-playbook-unmasks-it-as-another-hive-affiliate-like-nokoyawa\/","title":{"rendered":"Play Ransomware’s Attack Playbook Unmasks it as Another Hive Affiliate like Nokoyawa"},"content":{"rendered":"

<\/p>\n

<\/div>\n

Initial Access<\/b><\/p>\n

Play\u2019s ransomware actors commonly gain initial access through valid accounts that have been reused across multiple platforms, have previously been exposed, or were obtained through illegal means. This includes Virtual Private Network (VPN) accounts, not just domain and local accounts. Exposed RDP servers are also abused to establish a foothold. Another technique Play ransomware uses is the exploitation of the FortiOS vulnerabilities CVE-2018-13379<\/a> and CVE-2020-12812<\/a>.<\/p>\n

CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that allows an unauthenticated attacker to download OS system files through specially crafted HTTP resource requests.  On the other hand, CVE-2020-12812 is an improper-authentication vulnerability in SSL VPN in FortiOS, which allows a user to log in without being prompted for FortiToken, the second factor of authentication, if they changed the case of their username.<\/p>\n

Execution<\/b><\/p>\n

We observed Play ransomware\u2019s usage of scheduled tasks and PsExec during its execution phase. Another one of Play\u2019s techniques involves the creation of a GPO, as GPOs are able to control many user and machine settings in the AD. The GPO deploys a scheduled task across the AD environment, and the task executes the ransomware at a specific date and time.  <\/p>\n

The ransomware also uses batch files to execute PsExec, a legitimate Windows tool in the SysInternals suite. This tool\u2019s ability to execute processes on other systems allows the rapid spread of the ransomware and assists Play in its reconnaissance activities.<\/p>\n

Persistence<\/b><\/p>\n

After the Play ransomware actors gain initial access through valid accounts, they will continue to use these accounts as a persistence mechanism. If Remote Desktop Protocol (RDP) access is disabled in a victim\u2019s system, the malicious actors will enable it by executing \u201cnetsh\u201d commands so that they can establish inbound connections within a victim\u2019s system. The ransomware executable is dropped in the Domain Controller shared folders (NETLOGON or SYSVOL) and is run by a scheduled task\/PsExec, after which encryption of the victim\u2019s files takes place. <\/p>\n

Privilege Escalation<\/b><\/p>\n

Play ransomware uses Mimikatz<\/a> to extract high privileges credentials from memory. Afterward, the ransomware will add accounts to privileged groups, one of which is the Domain Administrators group. It performs vulnerability enumeration through Windows Privilege Escalation Awesome Scripts<\/a> (WinPEAS), a script that searches for possible local privilege escalation paths.<\/p>\n

Defense Evasion<\/b><\/p>\n

The ransomware uses tools such as Process Hacker<\/a>, GMER<\/a>, IOBit,<\/a> and PowerTool<\/a> to disable antimalware and monitoring solutions. It covers its tracks using the Windows built-in tool wevtutil or a batch script, which will remove indicators of its presence, such as logs in Windows Event Logs or malicious files. It disables Windows Defender protection capabilities through PowerShell or command prompt. The PowerShell scripts that Play ransomware uses, like Cobalt Strike beacons (Cobeacon) or Empire agents, are encrypted in Base64.<\/p>\n

Credential Access<\/b><\/p>\n

Play ransomware also uses Mimikatz to dump credentials. The tool can be dropped directly on the target host or executed as a module through a command-and-control (C&C) application like Empire or Cobalt Strike. We also observed the malware\u2019s use of the Windows tool Task Manager to dump the LSASS process from memory.<\/p>\n

Discovery<\/b><\/p>\n

During the discovery phase, the ransomware actors collect more details about the AD environment. We\u2019ve observed that AD queries for remote systems have been performed by different tools, such as ADFind<\/a>, Microsoft Nltest<\/a>, and Bloodhound<\/a>. Enumeration of system information such as hostnames, shares, and domain information were also performed by the threat actor.<\/p>\n

Lateral Movement<\/b><\/p>\n

Play ransomware may use different tools to move laterally across a victim\u2019s system:<\/p>\n