Play | APT Profile

Description

[Play](https://attack.mitre.org/groups/G1040) is a ransomware group that has been active since at least 2022 deploying [Playcrypt](https://attack.mitre.org/software/S1162) ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. [Play](https://attack.mitre.org/groups/G1040) actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)

Techniques Used (TTPs)

T1030 — Data Transfer Size Limits (exfiltration)
T1016 — System Network Configuration Discovery (discovery)
T1048 — Exfiltration Over Alternative Protocol (exfiltration)
T1070.004 — File Deletion (defense-evasion)
T1059.003 — Windows Command Shell (execution)
T1059.001 — PowerShell (execution)
T1560.001 — Archive via Utility (collection)
T1018 — Remote System Discovery (discovery)
T1057 — Process Discovery (discovery)
T1027.010 — Command Obfuscation (defense-evasion)
T1587.001 — Malware (resource-development)
T1078.003 — Local Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1105 — Ingress Tool Transfer (command-and-control)
T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1082 — System Information Discovery (discovery)
T1083 — File and Directory Discovery (discovery)
T1518.001 — Security Software Discovery (discovery)
T1133 — External Remote Services (persistence, initial-access)
T1588.002 — Tool (resource-development)
T1190 — Exploit Public-Facing Application (initial-access)
T1003.001 — LSASS Memory (credential-access)
T1657 — Financial Theft (impact)
T1070.001 — Clear Windows Event Logs (defense-evasion)

Total TTPs: 26

Malware & Tools

Malware: Cobalt Strike, Playcrypt

Tools: AdFind, BloodHound, Empire, Mimikatz, Nltest, PsExec, Wevtutil

← Return to Home ← Back to APT Search