0:00
Welcome back to the deep dive. Okay, so
0:03
it's October 2025, which means it's
0:06
cyber security awareness month.
0:08
And the theme this year, building a
0:10
cyber strong America and stay safe
0:15
Well, it feels more urgent than ever.
0:17
It really does. I mean, the threats,
0:18
they're just getting more sophisticated,
0:20
more professional. We can't just react
0:22
anymore. We have to be uh proactive.
0:25
Exactly. And that's our mission today.
0:27
We're digging into a really significant
0:28
joint advisory from the FBI, CSSE, and
0:32
focusing on one group in particular.
0:34
Yes. Play ransomware. They're
0:36
aggressive. So, we want to pull out the
0:38
absolute mustd do actions for you, for
0:40
your organization based on this federal
0:42
guidance. Like, what do you need to do
0:45
And that's the value here, isn't it?
0:46
This guidance cuts through the noise.
0:48
You know, the threat landscape feels
0:49
overwhelming, but these agencies are
0:51
laying out clear, proven steps, things
0:54
Totally agree. It simplifies things. No.
0:57
Okay. Before we get into the playbook of
0:59
well, one of the world's more dangerous
1:00
ransomware curses, just a quick thank
1:02
you to our sponsors for making this
1:04
possible, especially this month.
1:06
www.sizomarketplace.com,
1:09
right? They help folks navigate this
1:12
Okay, let's start with the scale because
1:14
ransomware isn't, you know, small time
1:16
anymore. Fortnet stats, they showed
1:19
ransomware in what, seven out of 10
1:21
global attacks in 2023
1:23
roughly. Yeah, it's huge. And the number
1:26
of publicly reported attacks in 2024 was
1:29
uh over 5,600 globally. It's just
1:32
And a big part of that is driven by
1:34
specific wellorganized groups like Play
1:37
or Play Crypt as they're sometimes
1:39
Yeah. They popped up mid 2022 and really
1:41
climbed the ranks fast. Became one of
1:43
the most active groups in 2024.
1:45
And they're targets. It's not just
1:46
random businesses, is it?
1:48
No, definitely not. They hit critical
1:50
infrastructure. We're talking energy,
1:51
healthcare, education, plus other
1:53
businesses, of course, across North
1:54
America, South America, Europe.
1:58
And the FBI advisory mentioned a
1:59
specific number of victims.
2:01
They did. As of May this year, 2025, the
2:04
FBI knew of about 900 entities uh
2:08
believed to have been hit by play.
2:10
900. Wow. That points to serious
2:12
financial motivation. And they use that
2:14
double extortion model, right? Steal the
2:16
data first, then encrypt.
2:18
That's the standard playbook for many
2:20
now. Oh yes, data excfiltration then
2:22
encryption. But Play has a twist in how
2:24
they handle the ransom demands.
2:26
Oh, what's different?
2:28
Well, the ransom note itself doesn't
2:29
demand immediate payment. It just gives
2:31
an email address like a atgmx.de or at
2:34
web.de address and tells the victim to
2:37
Okay. So, what's the twist?
2:39
The twist is what happens next. If the
2:41
victim doesn't make contact quickly, the
2:43
play actors actually call them.
2:44
They pick up the phone.
2:45
Yeah. They call victim organizations
2:48
directly, threaten to leak stolen data
2:51
to really pressure them into paying.
2:52
Whoa. So, they're cold calling
2:54
executives at companies they've just
2:56
breached. That's intense. It's like
2:58
blending digital extortion with high
3:00
pressure sales tactics.
3:01
Exactly. It shows a level of um
3:03
professionalization. It's not just
3:05
automated code. It's a whole criminal
3:07
operation focused on well closing the
3:09
deal. It's pretty brazen.
3:11
No kidding. Okay, let's also give a
3:13
quick shout out again to our sponsors
3:15
www.seomarketplace.com
3:18
for helping us understand these kinds of
3:21
So, let's talk TTPs, tactics,
3:23
techniques, procedures. How do they
3:25
actually get in? Phase one, the advisory
3:28
is clear. It's often about known
3:31
stuff we already know about, things that
3:32
should have been fixed
3:33
pretty much. They're not always relying
3:35
on super secret zero days. It's often
3:37
two main paths. abusing valid accounts,
3:39
you know, credentials maybe bought on
3:41
the dark web or stolen via fishing.
3:43
Fishing is still big then.
3:44
Oh yeah, explicitly mentioned. And the
3:46
other path is exploiting known
3:48
vulnerabilities. Think RDP, VPNs, email
3:52
servers, things facing the internet.
3:54
Any specific examples mentioned?
3:55
Yep. The advisory calls out specific 40
3:57
OS CVEes uh the Microsoft Exchange proxy
4:00
not shell flaws from a couple years back
4:02
and even exploiting a tool called
4:04
simplehelp an RMM tool as recently as
4:08
So patch management is just critical.
4:10
It's the front door lock.
4:12
Okay. So that's how they get in. But
4:13
once they're inside the network, this is
4:16
where it gets kind of clever, right?
4:17
They don't always bring in their own
4:18
custom malware, do they?
4:20
That's a really key point. Once inside,
4:22
they often use what's already there.
4:24
legitimate IT tools, but for malicious
4:27
like living off the land.
4:29
Exactly. They use things like Adfind or
4:32
Blood Hound, standard tools for querying
4:35
active directory, mapping out the
4:37
network. They use PSSE Zec for moving
4:39
sideways from machine to machine
4:41
and the big one for getting more power,
4:44
right? To dump credentials, steal
4:46
passwords, and ultimately get domain
4:48
admin rights. They're not writing fancy
4:51
new code for privilege escalation. and
4:53
they're using tools it might even use
4:56
which makes detection really hard I
4:58
imagine if you're just looking for known
5:01
you'll miss it because these tools are
5:03
often trusted maybe even whitelisted by
5:06
security software you have to look for
5:08
the behavior not just the tool itself
5:10
and they actively try to hide right
5:13
oh yes they use tools like GMRioit power
5:17
tools specifically to disable anti virus
5:20
and they delete logs that's mit TRE
5:26
to make investigation much harder.
5:28
And the ransomware itself, is it always
5:31
No, that's another challenge. The
5:33
advisory notes, the ransomware binary,
5:35
the actual encryption program, is often
5:37
recompiled for each attack.
5:39
So, unique file hashes every time.
5:41
Pretty much making signature-based
5:43
detection unreliable. And they use
5:45
something called intermittent
5:47
Intermittent encryption. What's that
5:49
It's sneaky. Instead of encrypting a
5:51
whole file at once, which might trigger
5:53
alerts, they encrypt small chunks, like
5:55
every other block of data.
5:57
Probably to evade detection.
5:58
Anti-malware might be looking for
6:00
massive rapid file changes. This is more
6:03
subtle. Maybe gets past behavioral
6:06
Clever. And they target virtual
6:07
machines, too. Right.
6:08
Definitely. There's an ESXi variant
6:10
mentioned. It runs commands to shut down
6:13
Oh. To unlock the files.
6:14
Exactly. Then it encrypts the key
6:16
virtual machine files. TheVMDK.VMX
6:19
VMX files using strong AES 256
6:22
encryption. They go after the core
6:25
Okay. Hearing about their methods is
6:28
well, it's a bit daunting, but you said
6:30
they often get in through known
6:31
weaknesses like credential theft and
6:33
mispatches. So, let's flip this. What
6:35
are the absolute core defenses, the
6:38
non-negotiables? CISA talks about four
6:40
essentials. Splunk calls it the core
6:42
right? These are the fundamentals. And
6:44
the first one directly hitting
6:45
credential effect is multiffactor
6:50
everywhere critical web mail VPNs access
6:53
to important systems. It basically
6:55
neutralizes those stolen passwords they
6:58
But MFA isn't just MFA anymore, is it?
7:00
There are different types and some are
7:02
better than others, especially with
7:03
attackers willing to make phone calls.
7:05
That's a crucial distinction. Now, the
7:06
guidance really emphasizes this. Weak
7:09
MFA things like SMS codes, voice calls,
7:12
even simple push notifications without
7:13
number matching, they're vulnerable.
7:15
Vulnerable to what? MFA fatigue, SIM
7:18
both attackers can spam push
7:20
notifications until someone accidentally
7:22
approves or they can take over a phone
7:25
number to get SMS codes. So the standard
7:28
has to be fishing resistant MFA.
7:30
Fishing resistant like what?
7:32
Think phto security keys or PKI based
7:35
authentication things that can't be
7:37
easily fished or socially engineered
7:39
especially especially for admin accounts
7:41
and privileged users. If it's not phto
7:43
or similar, you're still leaving a door
7:46
Okay, so fishing resistant MFA is number
7:48
one. What about passwords themselves? If
7:50
MFA fails or isn't there?
7:52
Passwords still matter. The guidance
7:54
says they need to be long. Think 15
7:56
characters minimum, up to 64.
7:58
Long, not necessarily complex.
8:00
Length is more important than forcing
8:02
symbols and numbers if it makes it
8:03
shorter. And interestingly, NIST
8:05
guidance now favors length over forcing
8:08
frequent password changes.
8:09
Really, no more 90-day resets. The
8:11
thinking is frequent mandatory resets
8:13
often lead people to create simple
8:14
predictable patterns. Password summer
8:16
24, password fall 24. You know, easier
8:19
for attackers to guess. So, focus on
8:21
making them long. Maybe using
8:22
passphrases rather than making people
8:24
change them constantly.
8:25
Makes sense. Longer, memorable phrases.
8:32
What's the next core defense? It must
8:35
relate back to those vulnerabilities
8:37
It does. It's patching. Timely patching.
8:39
The basics again. the absolute basics,
8:41
but probably the most cost-effective
8:43
defense there is. Keep everything
8:45
updated, operating systems, software,
8:48
firmware. But you have to prioritize.
8:52
Internet facing systems first. And any
8:54
vulnerability that SISA or others flag
8:56
as being actively exploited in the wild.
8:58
Those need to be patched within hours or
9:00
days, not weeks or months. That's how
9:02
play gets in. So those are the core four
9:04
fundamentals. But to really withstand
9:06
and recover from an attack like Play,
9:08
organizations need more resilience. It's
9:10
about data and network control,
9:12
right? Especially with that double
9:13
extortion tactic. They don't just
9:14
encrypt, they steal your data. Backups
9:17
become absolutely critical, don't they?
9:18
Absolutely. And not just any backups.
9:20
You need a solid recovery plan. Multiple
9:22
copies of data stored somewhere
9:24
physically separate, segmented off from
9:26
the main network, secure.
9:29
immutable. Your backups must be
9:31
meaning they can't be changed and
9:33
Exactly. Not even by someone who gets
9:35
the highest level of admin access like a
9:38
play actor might achieve. If they can
9:40
encrypt or delete your backups, you're
9:42
back to square one facing that ransom
9:44
demand. Immutable backups are your
9:48
Okay, immutable backups. What about
9:50
controlling movement inside the network,
9:52
preventing them from getting everywhere
9:55
That comes down to access control. Two
9:57
key ideas here. First, principle of
9:59
lease privilege or pol. Give people only
10:02
the access they absolutely need to do
10:05
Precisely. Don't give everyone admin
10:07
rights. Audit accounts regularly. Get
10:09
rid of old or unused ones. And second,
10:12
for those powerful admin accounts that
10:14
are needed, use just in time access.
10:17
Just in time. How does that work?
10:19
It means admin privileges are only
10:21
turned on when specifically requested
10:22
for a defined task and automatically
10:24
turned off afterwards. It dramatically
10:26
shrinks the window where an attacker
10:28
could grab and misuse those highle
10:31
Got it. That limits the opportunity and
10:33
network segmentation helps enforce that
10:36
Hugely important. Segmenting your
10:38
network, breaking it into isolated zones
10:40
contains the damage. If play gets into
10:42
one segment, say your web servers, good
10:45
segmentation stops them from easily
10:47
jumping over to finance or R&D or
10:50
crucially the segment where your
10:51
immutable backups live.
10:53
Makes sense. Containment. So, we've got
10:55
the tech controls, MFA, patching,
10:57
backup, segmentation, access control,
11:00
but what about the people? We mentioned
11:02
Can't forget the human element. It's
11:04
often the first domino. Ongoing training
11:06
is essential. Teach employees to pause,
11:08
think critically, and report anything
11:10
suspicious. Emails, texts, even phone
11:13
calls, especially given play's tactic of
11:15
calling victims. Don't click
11:16
impulsively. Don't give out info. Build
11:18
that human firewall.
11:19
And we can't just assume these defenses
11:21
work, right? We need to test them.
11:22
Absolutely. You have to validate your
11:24
controls. The advisory recommends using
11:26
the MIT ATN CK framework, specifically
11:30
looking at the TTP's play uses.
11:31
So, actively simulate their behavior.
11:34
Yes. Try to dump credentials with
11:36
mimicats in a test environment. Try to
11:39
move laterally with PSAC. See if your
11:42
defenses actually detect and block that
11:44
specific behavior, not just a known bad
11:47
file. Then you tune your systems based
11:50
on what you find. Make sure your tools
11:52
aren't fooled by attackers using
11:54
legitimate utilities.
11:55
Okay, let's try to wrap this up. The big
11:57
picture seems to be, yes, groups like
12:00
Play are sophisticated. They're
12:01
professional criminals. They exploit
12:04
weaknesses we often know about stolen
12:05
credentials, unpatched systems,
12:08
right? They're persistent.
12:09
But the defense isn't magic. It starts
12:11
with getting the fundamentals right and
12:13
being rigorous about it. Fishing
12:15
resistant MFA, proactive patching,
12:18
especially for known exploited flaws.
12:20
truly immutable backups, smart network
12:23
Those are the cornerstones and it's a
12:25
shared responsibility. You know, this
12:27
affects everyone, especially critical
12:28
sectors like healthcare, energy,
12:30
education. The guidance is also really
12:32
clear. Don't pay the ransom.
12:34
Right. Paying encourages them. And
12:35
there's no guarantee you'll even get
12:37
your data back properly.
12:38
Exactly. It just fuels the fire.
12:39
So, the call to action for everyone
12:41
listening, especially during cyber
12:42
security awareness month. Pick one thing
12:44
from this discussion. Just one. Upgrade
12:47
one critical service to fishing
12:49
resistant MFA this week. Patch that
12:52
vulnerability CISA flag last month. Make
12:54
one tangible improvement now.
12:57
That's the way step by step. And maybe a
13:00
final thought to leave people with,
13:02
Given how attackers like Play are now
13:04
expert at using legitimate tools,
13:06
Adfine, Mimikats, PSSE Deck for their
13:08
dirty work, how does your organization
13:10
need to shift its thinking, moving
13:12
beyond just looking for malware
13:14
signatures? How do you get better at
13:16
detecting behavior? Spotting when a
13:19
trusted tool is used in an abnormal
13:21
malicious way. That's the next big
13:23
challenge. Detecting the behavior, not
13:26
That's a great question. Detecting
13:27
malicious use of legitimate tools. Lots
13:29
to think about there. Thanks so much for
13:31
My pleasure. Thanks for having me.
13:33
And a final thank you to our sponsors
13:34
who make these deep dives possible.
13:36
www.csoarketplace.com.
13:39
We'll catch you on the next deep dive.