Up next in 10
Ransomware groups, such as Play (also known as Playcrypt), were among the most active groups in 2024 and use advanced methods like double extortion, first exfiltrating data and then encrypting systems, often targeting critical infrastructure globally. Initial access frequently begins with human elements, as phishing remains the top entry point for malware and compromised credentials, which are then used by threat actors leveraging tools like Mimikatz or Cobalt Strike for lateral movement. To reduce the risk of compromise, organizations are urged to apply cyber hygiene essentials: prioritizing known exploited vulnerabilities, consistently updating software, and deploying phishing-resistant Multi-Factor Authentication (MFA) across all services.
www.securitycareers.help/stop-the-attack-cycle-why-phishing-resistant-mfa-and-rigorous-patching-are-your-best-ransomware-defense (http://www.securitycareers.help/stop-the-attack-cycle-why-phishing-resistant-mfa-and-rigorous-patching-are-your-best-ransomware-defense)
Sponsor:
Show More Show Less View Video Transcript
0:00
Welcome back to the deep dive. Okay, so
0:03
it's October 2025, which means it's
0:06
cyber security awareness month.
0:07
That's right.
0:08
And the theme this year, building a
0:10
cyber strong America and stay safe
0:13
online.
0:15
Well, it feels more urgent than ever.
0:17
It really does. I mean, the threats,
0:18
they're just getting more sophisticated,
0:20
more professional. We can't just react
0:22
anymore. We have to be uh proactive.
0:25
Exactly. And that's our mission today.
0:27
We're digging into a really significant
0:28
joint advisory from the FBI, CSSE, and
0:31
Australia's ACSE,
0:32
focusing on one group in particular.
0:34
Yes. Play ransomware. They're
0:36
aggressive. So, we want to pull out the
0:38
absolute mustd do actions for you, for
0:40
your organization based on this federal
0:42
guidance. Like, what do you need to do
0:44
right now?
0:45
And that's the value here, isn't it?
0:46
This guidance cuts through the noise.
0:48
You know, the threat landscape feels
0:49
overwhelming, but these agencies are
0:51
laying out clear, proven steps, things
0:53
that actually work.
0:54
Totally agree. It simplifies things. No.
0:57
Okay. Before we get into the playbook of
0:59
well, one of the world's more dangerous
1:00
ransomware curses, just a quick thank
1:02
you to our sponsors for making this
1:04
possible, especially this month.
1:06
www.sizomarketplace.com,
1:09
right? They help folks navigate this
1:11
complex stuff.
1:12
Okay, let's start with the scale because
1:14
ransomware isn't, you know, small time
1:16
anymore. Fortnet stats, they showed
1:19
ransomware in what, seven out of 10
1:21
global attacks in 2023
1:23
roughly. Yeah, it's huge. And the number
1:26
of publicly reported attacks in 2024 was
1:29
uh over 5,600 globally. It's just
1:32
relentless.
1:32
And a big part of that is driven by
1:34
specific wellorganized groups like Play
1:37
or Play Crypt as they're sometimes
1:38
called.
1:39
Yeah. They popped up mid 2022 and really
1:41
climbed the ranks fast. Became one of
1:43
the most active groups in 2024.
1:45
And they're targets. It's not just
1:46
random businesses, is it?
1:48
No, definitely not. They hit critical
1:50
infrastructure. We're talking energy,
1:51
healthcare, education, plus other
1:53
businesses, of course, across North
1:54
America, South America, Europe.
1:56
So, major impact.
1:58
And the FBI advisory mentioned a
1:59
specific number of victims.
2:01
They did. As of May this year, 2025, the
2:04
FBI knew of about 900 entities uh
2:08
believed to have been hit by play.
2:10
900. Wow. That points to serious
2:12
financial motivation. And they use that
2:14
double extortion model, right? Steal the
2:16
data first, then encrypt.
2:18
That's the standard playbook for many
2:20
now. Oh yes, data excfiltration then
2:22
encryption. But Play has a twist in how
2:24
they handle the ransom demands.
2:26
Oh, what's different?
2:28
Well, the ransom note itself doesn't
2:29
demand immediate payment. It just gives
2:31
an email address like a atgmx.de or at
2:34
web.de address and tells the victim to
2:36
get in touch.
2:37
Okay. So, what's the twist?
2:39
The twist is what happens next. If the
2:41
victim doesn't make contact quickly, the
2:43
play actors actually call them.
2:44
They pick up the phone.
2:45
Yeah. They call victim organizations
2:48
directly, threaten to leak stolen data
2:51
to really pressure them into paying.
2:52
Whoa. So, they're cold calling
2:54
executives at companies they've just
2:56
breached. That's intense. It's like
2:58
blending digital extortion with high
3:00
pressure sales tactics.
3:01
Exactly. It shows a level of um
3:03
professionalization. It's not just
3:05
automated code. It's a whole criminal
3:07
operation focused on well closing the
3:09
deal. It's pretty brazen.
3:11
No kidding. Okay, let's also give a
3:13
quick shout out again to our sponsors
3:15
www.seomarketplace.com
3:18
for helping us understand these kinds of
3:20
complex threats.
3:21
So, let's talk TTPs, tactics,
3:23
techniques, procedures. How do they
3:25
actually get in? Phase one, the advisory
3:28
is clear. It's often about known
3:30
weaknesses,
3:31
stuff we already know about, things that
3:32
should have been fixed
3:33
pretty much. They're not always relying
3:35
on super secret zero days. It's often
3:37
two main paths. abusing valid accounts,
3:39
you know, credentials maybe bought on
3:41
the dark web or stolen via fishing.
3:43
Fishing is still big then.
3:44
Oh yeah, explicitly mentioned. And the
3:46
other path is exploiting known
3:48
vulnerabilities. Think RDP, VPNs, email
3:52
servers, things facing the internet.
3:54
Any specific examples mentioned?
3:55
Yep. The advisory calls out specific 40
3:57
OS CVEes uh the Microsoft Exchange proxy
4:00
not shell flaws from a couple years back
4:02
and even exploiting a tool called
4:04
simplehelp an RMM tool as recently as
4:06
January 2025.
4:08
So patch management is just critical.
4:10
It's the front door lock.
4:11
Absolutely critical.
4:12
Okay. So that's how they get in. But
4:13
once they're inside the network, this is
4:16
where it gets kind of clever, right?
4:17
They don't always bring in their own
4:18
custom malware, do they?
4:20
That's a really key point. Once inside,
4:22
they often use what's already there.
4:24
legitimate IT tools, but for malicious
4:27
purposes,
4:27
like living off the land.
4:29
Exactly. They use things like Adfind or
4:32
Blood Hound, standard tools for querying
4:35
active directory, mapping out the
4:37
network. They use PSSE Zec for moving
4:39
sideways from machine to machine
4:41
and the big one for getting more power,
4:43
mimic,
4:44
right? To dump credentials, steal
4:46
passwords, and ultimately get domain
4:48
admin rights. They're not writing fancy
4:51
new code for privilege escalation. and
4:53
they're using tools it might even use
4:55
legitimately
4:56
which makes detection really hard I
4:58
imagine if you're just looking for known
5:00
malware signatures
5:01
you'll miss it because these tools are
5:03
often trusted maybe even whitelisted by
5:06
security software you have to look for
5:08
the behavior not just the tool itself
5:10
and they actively try to hide right
5:12
cover their track
5:13
oh yes they use tools like GMRioit power
5:17
tools specifically to disable anti virus
5:20
and they delete logs that's mit TRE
5:23
technique T177.001
5:26
to make investigation much harder.
5:28
And the ransomware itself, is it always
5:31
the same?
5:31
No, that's another challenge. The
5:33
advisory notes, the ransomware binary,
5:35
the actual encryption program, is often
5:37
recompiled for each attack.
5:39
So, unique file hashes every time.
5:41
Pretty much making signature-based
5:43
detection unreliable. And they use
5:45
something called intermittent
5:46
encryption.
5:47
Intermittent encryption. What's that
5:48
about?
5:49
It's sneaky. Instead of encrypting a
5:51
whole file at once, which might trigger
5:53
alerts, they encrypt small chunks, like
5:55
every other block of data.
5:56
Why do that?
5:57
Probably to evade detection.
5:58
Anti-malware might be looking for
6:00
massive rapid file changes. This is more
6:03
subtle. Maybe gets past behavioral
6:05
monitoring sometime.
6:06
Clever. And they target virtual
6:07
machines, too. Right.
6:08
Definitely. There's an ESXi variant
6:10
mentioned. It runs commands to shut down
6:12
running VMs first.
6:13
Oh. To unlock the files.
6:14
Exactly. Then it encrypts the key
6:16
virtual machine files. TheVMDK.VMX
6:19
VMX files using strong AES 256
6:22
encryption. They go after the core
6:24
infrastructure.
6:25
Okay. Hearing about their methods is
6:28
well, it's a bit daunting, but you said
6:30
they often get in through known
6:31
weaknesses like credential theft and
6:33
mispatches. So, let's flip this. What
6:35
are the absolute core defenses, the
6:38
non-negotiables? CISA talks about four
6:40
essentials. Splunk calls it the core
6:42
four,
6:42
right? These are the fundamentals. And
6:44
the first one directly hitting
6:45
credential effect is multiffactor
6:47
authentication. MFA
6:49
everywhere
6:50
everywhere critical web mail VPNs access
6:53
to important systems. It basically
6:55
neutralizes those stolen passwords they
6:57
might buy or fish.
6:58
But MFA isn't just MFA anymore, is it?
7:00
There are different types and some are
7:02
better than others, especially with
7:03
attackers willing to make phone calls.
7:05
That's a crucial distinction. Now, the
7:06
guidance really emphasizes this. Weak
7:09
MFA things like SMS codes, voice calls,
7:12
even simple push notifications without
7:13
number matching, they're vulnerable.
7:15
Vulnerable to what? MFA fatigue, SIM
7:17
swapping,
7:18
both attackers can spam push
7:20
notifications until someone accidentally
7:22
approves or they can take over a phone
7:25
number to get SMS codes. So the standard
7:28
has to be fishing resistant MFA.
7:30
Fishing resistant like what?
7:32
Think phto security keys or PKI based
7:35
authentication things that can't be
7:37
easily fished or socially engineered
7:39
especially especially for admin accounts
7:41
and privileged users. If it's not phto
7:43
or similar, you're still leaving a door
7:45
open.
7:46
Okay, so fishing resistant MFA is number
7:48
one. What about passwords themselves? If
7:50
MFA fails or isn't there?
7:52
Passwords still matter. The guidance
7:54
says they need to be long. Think 15
7:56
characters minimum, up to 64.
7:58
Long, not necessarily complex.
8:00
Length is more important than forcing
8:02
symbols and numbers if it makes it
8:03
shorter. And interestingly, NIST
8:05
guidance now favors length over forcing
8:08
frequent password changes.
8:09
Really, no more 90-day resets. The
8:11
thinking is frequent mandatory resets
8:13
often lead people to create simple
8:14
predictable patterns. Password summer
8:16
24, password fall 24. You know, easier
8:19
for attackers to guess. So, focus on
8:21
making them long. Maybe using
8:22
passphrases rather than making people
8:24
change them constantly.
8:25
Makes sense. Longer, memorable phrases.
8:30
Okay. MFA passwords.
8:32
Yeah.
8:32
What's the next core defense? It must
8:35
relate back to those vulnerabilities
8:36
they exploit.
8:37
It does. It's patching. Timely patching.
8:39
The basics again. the absolute basics,
8:41
but probably the most cost-effective
8:43
defense there is. Keep everything
8:45
updated, operating systems, software,
8:48
firmware. But you have to prioritize.
8:51
Prioritize what?
8:52
Internet facing systems first. And any
8:54
vulnerability that SISA or others flag
8:56
as being actively exploited in the wild.
8:58
Those need to be patched within hours or
9:00
days, not weeks or months. That's how
9:02
play gets in. So those are the core four
9:04
fundamentals. But to really withstand
9:06
and recover from an attack like Play,
9:08
organizations need more resilience. It's
9:10
about data and network control,
9:12
right? Especially with that double
9:13
extortion tactic. They don't just
9:14
encrypt, they steal your data. Backups
9:17
become absolutely critical, don't they?
9:18
Absolutely. And not just any backups.
9:20
You need a solid recovery plan. Multiple
9:22
copies of data stored somewhere
9:24
physically separate, segmented off from
9:26
the main network, secure.
9:27
And the key term is
9:29
immutable. Your backups must be
9:31
immutable,
9:31
meaning they can't be changed and
9:33
deleted.
9:33
Exactly. Not even by someone who gets
9:35
the highest level of admin access like a
9:38
play actor might achieve. If they can
9:40
encrypt or delete your backups, you're
9:42
back to square one facing that ransom
9:44
demand. Immutable backups are your
9:47
lifeline.
9:48
Okay, immutable backups. What about
9:50
controlling movement inside the network,
9:52
preventing them from getting everywhere
9:54
once they're in?
9:55
That comes down to access control. Two
9:57
key ideas here. First, principle of
9:59
lease privilege or pol. Give people only
10:02
the access they absolutely need to do
10:04
their job.
10:05
Precisely. Don't give everyone admin
10:07
rights. Audit accounts regularly. Get
10:09
rid of old or unused ones. And second,
10:12
for those powerful admin accounts that
10:14
are needed, use just in time access.
10:16
JIT.
10:17
Just in time. How does that work?
10:19
It means admin privileges are only
10:21
turned on when specifically requested
10:22
for a defined task and automatically
10:24
turned off afterwards. It dramatically
10:26
shrinks the window where an attacker
10:28
could grab and misuse those highle
10:30
credentials.
10:31
Got it. That limits the opportunity and
10:33
network segmentation helps enforce that
10:35
too.
10:36
Hugely important. Segmenting your
10:38
network, breaking it into isolated zones
10:40
contains the damage. If play gets into
10:42
one segment, say your web servers, good
10:45
segmentation stops them from easily
10:47
jumping over to finance or R&D or
10:50
crucially the segment where your
10:51
immutable backups live.
10:53
Makes sense. Containment. So, we've got
10:55
the tech controls, MFA, patching,
10:57
backup, segmentation, access control,
11:00
but what about the people? We mentioned
11:01
fishing earlier.
11:02
Can't forget the human element. It's
11:04
often the first domino. Ongoing training
11:06
is essential. Teach employees to pause,
11:08
think critically, and report anything
11:10
suspicious. Emails, texts, even phone
11:13
calls, especially given play's tactic of
11:15
calling victims. Don't click
11:16
impulsively. Don't give out info. Build
11:18
that human firewall.
11:19
And we can't just assume these defenses
11:21
work, right? We need to test them.
11:22
Absolutely. You have to validate your
11:24
controls. The advisory recommends using
11:26
the MIT ATN CK framework, specifically
11:30
looking at the TTP's play uses.
11:31
So, actively simulate their behavior.
11:34
Yes. Try to dump credentials with
11:36
mimicats in a test environment. Try to
11:39
move laterally with PSAC. See if your
11:42
defenses actually detect and block that
11:44
specific behavior, not just a known bad
11:47
file. Then you tune your systems based
11:50
on what you find. Make sure your tools
11:52
aren't fooled by attackers using
11:54
legitimate utilities.
11:55
Okay, let's try to wrap this up. The big
11:57
picture seems to be, yes, groups like
12:00
Play are sophisticated. They're
12:01
professional criminals. They exploit
12:04
weaknesses we often know about stolen
12:05
credentials, unpatched systems,
12:08
right? They're persistent.
12:09
But the defense isn't magic. It starts
12:11
with getting the fundamentals right and
12:13
being rigorous about it. Fishing
12:15
resistant MFA, proactive patching,
12:18
especially for known exploited flaws.
12:20
truly immutable backups, smart network
12:23
segmentation.
12:23
Those are the cornerstones and it's a
12:25
shared responsibility. You know, this
12:27
affects everyone, especially critical
12:28
sectors like healthcare, energy,
12:30
education. The guidance is also really
12:32
clear. Don't pay the ransom.
12:34
Right. Paying encourages them. And
12:35
there's no guarantee you'll even get
12:37
your data back properly.
12:38
Exactly. It just fuels the fire.
12:39
So, the call to action for everyone
12:41
listening, especially during cyber
12:42
security awareness month. Pick one thing
12:44
from this discussion. Just one. Upgrade
12:47
one critical service to fishing
12:49
resistant MFA this week. Patch that
12:52
vulnerability CISA flag last month. Make
12:54
one tangible improvement now.
12:57
That's the way step by step. And maybe a
13:00
final thought to leave people with,
13:02
please.
13:02
Given how attackers like Play are now
13:04
expert at using legitimate tools,
13:06
Adfine, Mimikats, PSSE Deck for their
13:08
dirty work, how does your organization
13:10
need to shift its thinking, moving
13:12
beyond just looking for malware
13:14
signatures? How do you get better at
13:16
detecting behavior? Spotting when a
13:19
trusted tool is used in an abnormal
13:21
malicious way. That's the next big
13:23
challenge. Detecting the behavior, not
13:25
just the binary.
13:26
That's a great question. Detecting
13:27
malicious use of legitimate tools. Lots
13:29
to think about there. Thanks so much for
13:31
breaking this down.
13:31
My pleasure. Thanks for having me.
13:33
And a final thank you to our sponsors
13:34
who make these deep dives possible.
13:36
www.csoarketplace.com.
13:39
We'll catch you on the next deep dive.