The Russian-affiliated threat actor Play ransomware gang is now a service for sale, according to cybersecurity analyst Adlumin.
The group, thought to have debuted last year and to have launched multiple attacks on targets since then, has joined the growing ransomware-as-a-service (RaaS) trend.
Cybercriminals are increasingly finding it just as lucrative to hire their toolkits out to other crooks so they can launch attacks of their own – Adlumin found that Play’s fees ranged from $200 for simple “set-up assistance” to fully outfitted toolkits “ready for deployment” in excess of $1,000.
Of course, this is not good news for potential ransomware targets, who are more likely to find themselves on the receiving end as Play’s attack vector widens through proliferation.
“Making it available to affiliates that might include sophisticated hackers, less-sophisticated ‘script kiddies’ and various levels of expertise in between, could dramatically increase the volume of attacks,” warned Adlumin, describing Play ransomware model as already “highly successful.”
No silver bullet
Adlumin adds that in recent months, it has seen the ransomware type, also known as “PlayCrypt,” increasingly used to target SMEs.
That said, the toolkit is far from being a silver bullet for cybercriminals. There are telltale signs that might allow a seasoned cybersecurity professional to spot and avert Play attacks.
“Based on the attacks Adlumin has witnessed, small and mid-sized organizations are being targeted and are especially at risk,” said the analyst. “However, ransomware delivered as a service can often be easier to detect because of the common methods used to deploy it.”
It is urging security teams to watch for indicators of compromise (IOCs), such as malicious IP addresses, domains, emails, and hashes.
“They serve as clues to help put together what transpired during the incident and how,” added Adlumin. “They can also offer some insight about the level of sophistication of the attackers.”
Latin America first, now the world?
Play was first spotted being deployed against South American government agencies around the middle of last year but pivoted months later to target entities in the US and Europe.
The wide catchment area points to the ransomware gang’s mercenary nature, though one cannot rule out that the Russia-linked group may have geopolitical ambitions, too.
The gang employs double-extortion tactics, whereby it charges separate fees for two ‘services’ – unlocking data it has encrypted beyond use and not making the unencrypted version public to undermine a target’s competitiveness or security.
Adlumin says the increased uniformity of Play attacks in recent months supports its hypothesis that the toolkit is being sold on to other criminal groups, who then follow a “playbook” set of instructions guiding them on its use.
“This high level of consistency in methods used by threat actors is telling,” it said. “It suggests reliance on playbooks or step-by-step instructions supplied with RaaS kits.”
Another common feature is the nature of Play and PlayCrypt targets, which Adlumin describes as smaller organizations that can nevertheless afford, on paper at least, to pay ransoms in the region of $1 million.
Easy to come by
Purchasing Play kits is far from difficult, with a Tor browser and “membership of the right dark net or market” the only prerequisites.
“Once there, a highly experienced threat actor, or even a ‘script kiddie,’ can browse RaaS advertisements,” said Adlumin.
It also notes that the RaaS gang is boasting a toolkit variant that can be used against Mac operating systems, for a long while believed to be less vulnerable than Windows to cyberattacks.
“We have developed a new MacOS ransomware as we noticed a lack of it,” added Adlumin, quoting a Play dark web advert it viewed.
But could more be less?
Adlumin further warns that the RaaS strain’s appeal to script kiddies could drive its proliferation.
“When RaaS operators advertise ransomware kits that come with everything a hacker will need, including documentation, forums, technical support, and ransom negotiation support, script kiddies will be tempted to try their luck and put their skills to use,” it said.
“And since there are probably more script kiddies than ‘real hackers’ today, businesses and authorities should take note and prepare for a growing wave of incidents.”
But with proliferation could also come dilution, as inexperienced criminals fumble their initial attempts to use Play RaaS.
“When threat actors follow RaaS-provided playbooks, they will likely adhere to them closely on the first few attacks,” said Adlumin. “They’ll make mistakes, and if those mistakes are big enough, they could serve as breadcrumbs for the authorities to follow.”
More from Cybernews:
Subscribe to our newsletter