{
	"id": "c1b35373-ffe5-4239-b089-e18cc42acefc",
	"created_at": "2026-04-06T01:31:52.159964Z",
	"updated_at": "2026-04-10T03:30:32.796233Z",
	"deleted_at": null,
	"sha1_hash": "6c50899905c6538b141bdcc2cc212f5f4d7c3706",
	"title": "#StopRansomware: Play Ransomware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 198561,
	"plain_text": "#StopRansomware: Play Ransomware | CISA\r\nPublished: 2025-06-04 · Archived: 2026-04-06 00:38:23 UTC\r\nSummary\r\nNote: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network\r\ndefenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories\r\ninclude recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs)\r\nto help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to\r\nlearn more about other ransomware threats and no-cost resources.\r\nNote: Updates to this advisory, originally published December 18, 2023, include:\r\nJune 4, 2025: The advisory was updated to reflect new TTPs employed by Play ransomware group, as well as\r\nprovide current IOCs/remove outdated IOCs for effective threat hunting.\r\nUpdate June 4, 2025:\r\nThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian\r\nSignals Directorate’s Australian Cyber Security Centre (ASD's ACSC) are releasing this joint advisory to disseminate the\r\nPlay ransomware group’s IOCs and TTPs identified through FBI investigations as recently as January 2025.\r\nEnd Update\r\nSince June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical\r\ninfrastructure in North America, South America, and Europe. Play ransomware was among the most active ransomware\r\ngroups in 2024. \r\nOrganizations should take the following actions today to mitigate cyber threats from Play ransomware:\r\nPrioritize remediating known exploited vulnerabilities.\r\nEnable multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and\r\naccounts that access critical systems.\r\nRegularly patch and update software and applications to their latest versions and conduct regular vulnerability\r\nassessments.\r\nUpdate June 4, 2025:\r\nAs of May 2025, FBI was aware of approximately 900 affected entities allegedly exploited by the ransomware actors.\r\nEnd Update\r\nIn Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023.\r\nThe Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a\r\nstatement on the group’s data leak website. Play ransomware actors employ a double extortion model, encrypting systems\r\nafter exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions; rather, victims are\r\ninstructed to contact the threat actors via email.\r\nUpdate June 4, 2025:\r\nEach victim receives a unique @gmx.de or @web[.]de email for communications. A portion of victims are contacted via\r\ntelephone and are threatened with the release of the stolen data and encouraged to pay the ransom.\r\nEnd Update\r\nFBI, CISA, and ASD’s ACSC encourage organizations to implement the recommendations in the Mitigations section of this\r\nCSA to reduce the likelihood and impact of ransomware incidents. This includes requiring multifactor authentication,\r\nmaintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software, and\r\nfirmware up to date.\r\nDownload a PDF version of this report:\r\nFor a downloadable copy of IOCs, see:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\r\nPage 1 of 11\n\nFor a downloadable copy of historic IOCs, see:\r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 17. See the MITRE ATT\u0026CK\r\nTactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT\u0026CK tactics\r\nand techniques.\r\nInitial Access\r\nThe Play ransomware group gains initial access to victim networks through the abuse of valid accounts, likely purchased on\r\nthe dark web [T1078 ], and exploitation of public-facing applications [T1190 ], specifically through known FortiOS\r\n(CVE-2018-13379 and CVE-2020-12812 ) and Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082 ]) vulnerabilities. Play ransomware actors have been observed using external-facing services [T1133 ] such\r\nas Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.\r\nUpdate June 4, 2025:\r\nMultiple ransomware groups, including initial access brokers with ties to Play ransomware operators, exploited CVE-2024-\r\n57727 in remote monitoring and management (RMM) tool SimpleHelp [T1190 ] to conduct remote code execution\r\n[T1059.001 ] at many U.S.-based entities following the vulnerabilities’ disclosure on 16 January 2025.\r\nEnd Update\r\nDiscovery and Defense Evasion\r\nPlay ransomware actors use tools like AdFind to run Active Directory queries [TA0007 ] and Grixba,1 an information-stealer, to enumerate network information [T1016 ] and scan for anti-virus software [T1518.001 ]. Actors also use tools\r\nlike GMER, IOBit, and PowerTool to disable anti-virus software [T1562.001 ] and remove log files [T1070.001 ]. In\r\nsome instances, cybersecurity researchers have observed Play ransomware actors using PowerShell scripts to target\r\nMicrosoft Defender.2 \r\nLateral Movement and Execution\r\nPlay ransomware actors use command and control (C2) applications, including Cobalt Strike and SystemBC, and tools\r\nlike PsExec to assist with lateral movement and file execution. Once established on a network, the ransomware actors\r\nsearch for unsecured credentials [T1552 ] and use the Mimikatz credential dumper to gain domain administrator access\r\n[T1003 ]. According to open source reporting,3 to further enumerate vulnerabilities, Play ransomware actors use Windows\r\nPrivilege Escalation Awesome Scripts (WinPEAS) [T1059 ] to search for additional privilege escalation paths. Actors then\r\ndistribute executables [T1570 ] via Group Policy Objects [T1484.001 ].\r\nExfiltration and Encryption\r\nUpdate June 4, 2025:\r\nThe Play ransomware binary is recompiled for every attack, resulting in unique hashes for each deployment, complicating\r\nanti-malware and anti-virus program detection of the ransomware [T1027 ].\r\nEnd Update\r\nPlay ransomware actors often split compromised data into segments and use tools like WinRAR to compress files\r\n[T1560.001 ] into  .RAR format for exfiltration. The actors then use WinSCP to transfer data [T1048 ] from a\r\ncompromised network to actor-controlled accounts. Following exfiltration, files are encrypted [T1486 ] with AES-RSA\r\nhybrid encryption using intermittent encryption, encrypting every other file portion of 0x100000 bytes.4\r\n (Note: System files\r\nare skipped during the encryption process.) A  .PLAY extension is added to file names once encrypted. Within the Windows\r\nenvironment, tools and a ransom note titled  ReadMe[.]txt are placed in  C:/Users/Public/Music/ . \r\nImpact\r\nUpdate June 4, 2025:\r\nThe Play ransomware group uses a double extortion model [T1657 ], encrypting systems after exfiltrating data. The\r\nransom note directs victims to contact the Play ransomware group at an email address ending in @gmx[.]de or @web[.]de .\r\nRansom payments are paid in cryptocurrency to wallet addresses provided by Play actors. If a victim refuses to pay the\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\r\nPage 2 of 11\n\nransom demand, the ransomware actors threaten to publish exfiltrated data to their leak site on the Tor network ( [.]onion\r\nURL). \r\nPlay ransomware targets regularly receive phone calls from threat actors encouraging payment and threatening the release of\r\ncompany information. These calls can be routed to a variety of phone numbers within the organization, including those\r\ndiscovered in open source, such as help desks or customer service representatives.\r\nESXi Variant \r\nThe ESXi variant of Play ransomware invokes shell commands specific to the ESXi environment to conduct tasks, including\r\npowering off all running Virtual Machines (VMs), listing machines names, and setting the welcome message of the ESXi\r\ninterface to the campaign-specific ransom note. The ransomware binary supports command line arguments; however, if no\r\ncommand line arguments are passed, the malware powers off all VMs and encrypts files related to VMs using randomly\r\ngenerated per-file keys. The targeted file extensions include .vmdk , .vmem , .vmsd , .vmsn , .vmx , .vmxf , .vswp ,\r\n.vmss , .nvram , .vmtx , and .log . The ransomware binary employs AES-256 as its encryption algorithm. The binary\r\ncreates a copy of the ransom note titled PLAY_Readme.txt in the root directory and in the path /vmfs/volumes/ , as well as\r\nthe welcome message of the ESXi interface. \r\nLike the Windows variant of Play ransomware, the ESXi variant must be recompiled for each campaign. Through command\r\nline flags, the binary supports additional functionality likely used for development and debugging, including exempting\r\nspecific VMs from encryption, targeting only one file for encryption, or skipping the file extension check and attempting to\r\nencrypt all files. Please see below for YARA rules.\r\nEnd Update\r\nLeveraged Tools\r\nTable 1 lists legitimate tools Play ransomware actors have repurposed for their operations. The legitimate tools listed in this\r\nproduct are all publicly available. Use of these tools and applications should not be attributed as malicious without analytical\r\nevidence to support they are used at the direction of, or controlled by, threat actors.\r\nTable 1: Tools Leveraged by Play Ransomware Actors\r\nName Description\r\nAdFind Used to query and retrieve information from Active Directory.\r\nBloodhound Used to query and retrieve information from Active Directory.\r\nGMER A software tool intended to be used for detecting and removing rootkits.\r\nIOBit\r\nAn anti-malware and anti-virus program for the Microsoft Windows operating system. Play actors\r\nhave accessed IOBit to disable antivirus software.\r\nPsExec A tool designed to run programs and execute commands on remote systems.\r\nPowerTool\r\nA Windows utility designed to improve speed, remove bloatware, protect privacy, and eliminate data\r\ncollection, among other things.\r\nPowerShell\r\nA cross-platform task automation solution made up of a command-line shell, a scripting language, and\r\na configuration management framework, which runs on Windows, Linux, and macOS.\r\nCobalt Strike\r\nA penetration testing tool used by security professionals to test the security of networks and systems.\r\nPlay ransomware actors have used it to assist with lateral movement and file execution.\r\nMimikatz\r\nAllows users to view and save authentication credentials such as Kerberos tickets. Play ransomware\r\nactors have used it to add accounts to domain controllers.\r\nWinPEAS Used to search for additional privilege escalation paths.\r\nWinRAR Used to split compromised data into segments and to compress files into .RAR format for exfiltration.\r\nWinSCP\r\nWindows Secure Copy is a free and open source Secure Shell (SSH) File Transfer Protocol, File\r\nTransfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Play ransomware actors\r\nhave used it to transfer data [T1048 ] from a compromised network to actor-controlled accounts.\r\nMicrosoft\r\nNltest\r\nUsed by Play ransomware actors for network discovery.\r\nNekto /\r\nPriviCMD\r\nUsed by Play ransomware actors for privilege escalation.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\r\nPage 3 of 11\n\nName Description\r\nProcess\r\nHacker\r\nUsed to enumerate running processes on a system.\r\nPlink Used to establish persistent SSH tunnels.\r\nUpdate June 4, 2025: \r\nIndicators of Compromise\r\nSee Table 2 for Play ransomware IOCs obtained from FBI investigations as of January 2025.\r\nTable 2: Hashes Associated with Play Ransomware Actors\r\nHashes (SHA 256 and SHA 1) Description\r\n47B7B2DD88959CD7224A5542AE8D5BCE928BFC986BF0D0321532A7515C244A1E  \r\nSVCHost.dll\r\nBackdoor\r\n75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54A\r\n453257C3494ADDAFB39CB6815862403E827947A1E7737EB8168CD10522465DEB\r\nC59F3C8D61D940B56436C14BC148C1FE98862921B8F7BAD97FBC96B31D71193C\r\nGRIXBA\r\nGt_net.exe\r\nCustom data gathering\r\ntool\r\n1409E010675BF4A40DB0A845B60DB3AAE5B302834E80ADEEC884AEBC55ECCBF7\r\nPSexesvc.exe\r\nCustom Play “psexesvc”\r\n0E408AED1ACF902A9F97ABF71CF0DD354024109C5D52A79054C421BE35D93549\r\nHRsword.exe\r\nDisables endpoint\r\nprotection\r\n90040340EE101CAC7831D7035230AC8AD4224D432E5636F34F13AA1C4A0C2041\r\nUsysdiag.exe\r\nAssociated with\r\nHRsword; changes\r\nsettings of System\r\ncertificates\r\n3D86555ACAA19AEDDB5896071D1E3711B062EDBE fThe9C.exe\r\n6DE8DD5757F9A3AC5E2AC28E8A77682D7A29BE25C106F785A061DCF582A20DC6\r\nHi.exe\r\nAssociated with\r\nransomware\r\n75404543DE25513B376F097CEB383E8EFB9C9B95DA8945FD4AA37C7B2F226212\r\nSystemBC Malware\r\nEXE\r\n7A42F96599DF8090CF89D6E3CE4316D24C6C00E499C8557A2E09D61C00C11986\r\n7DEA671BE77A2CA5772B86CF8831B02BFF0567BCE6A3AE023825AA40354F8ACA\r\nSystemBC malware DLL\r\n967DAFF362E63FF45526F585B7944488ACE1BB5BB5B30FA40D56557F1C538D09\r\nSHA256\r\nHash of public ECDSA\r\nkey\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\r\nPage 4 of 11\n\nHashes (SHA 256 and SHA 1) Description\r\n859165041D75FBA3759C5533E324225F355C8A07B4645B984192AD6BEF06DB1A\r\nSHA-256 \r\nHash of public ED25519\r\nKey for WinSCP Server\r\n511F63455CA4F83B0347B65DDA17585AD02591A9F23D8E234E5CE1321AA3381A\r\nSHA-256 \r\nHash of public ED25519\r\nKey WinSCP Server\r\n372F7B45A141BB0709D578BC716CBCA03104258822C4290CCBEB600223850158\r\nSHA-256\r\nHash of public ED25519\r\nKey WinSCP Server \r\nEnd Update\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nSee Table 3–Table 11 for all referenced threat actor tactics and techniques in this advisory.\r\nTable 3: Play ATT\u0026CK Techniques for Enterprise for Initial Access\r\nTechnique Title ID Use\r\nValid Accounts T1078\r\nPlay ransomware actors obtain and abuse existing account\r\ncredentials to gain initial access.\r\nExploit Public Facing\r\nApplication\r\nT1190\r\nPlay ransomware actors exploit vulnerabilities in internet-facing\r\nsystems to gain access to networks.\r\nExternal Remote Services T1133\r\nPlay ransomware actors have used remote access services, such as\r\nRDP/VPN connection to gain initial access.\r\nUpdate June 4, 2025:\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nT1059.001\r\nPlay ransomware actors leveraged PowerShell commands to achieve\r\nRCE with a newly disclosed vulnerability.\r\nEnd Update\r\nTable 4: Play ATT\u0026CK Techniques for Enterprise for Discovery\r\nTechnique Title ID Use\r\nSystem Network Configuration\r\nDiscovery\r\nT1016\r\nPlay ransomware actors use tools like GRIXBA to identify\r\nnetwork configurations and settings.\r\nSoftware Discovery: Security\r\nSoftware Discovery\r\nT1518.001\r\nPlay ransomware actors scan for antivirus software.\r\nTable 5: Play ATT\u0026CK Techniques for Enterprise for Defense Evasion\r\nTechnique Title ID Use\r\nImpair Defenses: Disable or\r\nModify Tools\r\nT1562.001 Play ransomware actors use tools like GMER, IOBit, and\r\nPowerTool to disable antivirus software.\r\nIndicator Removal: Clear\r\nWindows Event Logs\r\nT1070.001 Play ransomware actors delete logs or other indicators of\r\ncompromise to hide intrusion activity.\r\nTable 6: Play ATT\u0026CK Techniques for Enterprise for Credential Access\r\nTechnique Title ID Use\r\nUnsecured\r\nCredentials\r\nT1552 Play ransomware actors attempt to identify and exploit credentials stored insecurely\r\non a compromised network.\r\nOS Credential\r\nDumping\r\nT1003\r\nPlay ransomware actors use tools like Mimikatz to dump credentials.\r\nTable 7: Play ATT\u0026CK Techniques for Enterprise for Lateral Movement\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\r\nPage 5 of 11\n\nTechnique Title ID Use\r\nLateral Tool\r\nTransfer\r\nT1570 Play ransomware actors distribute executables within the compromised\r\nenvironment. \r\nTable 8: Play ATT\u0026CK Techniques for Enterprise for Command and Control\r\nTechnique Title ID Use\r\nDomain Policy Modification: Group Policy\r\nModification\r\nT1484.001 Play ransomware actors distribute executables via\r\nGroup Policy Objects.\r\nTable 9: Play ATT\u0026CK Techniques for Enterprise for Collection\r\nTechnique Title ID Use\r\nArchive Collected Data: Archive via\r\nUtility\r\nT1560.001 Play ransomware actors use tools like WinRAR to\r\ncompress files.\r\nTable 10: Play ATT\u0026CK Techniques for Enterprise for Exfiltration\r\nTechnique Title ID Use\r\nExfiltration Over Alternative\r\nProtocol\r\nT1048 Play ransomware actors use file transfer tools like WinSCP to\r\ntransfer data.\r\nTable 11: Play ATT\u0026CK Techniques for Enterprise for Impact\r\nTechnique Title ID Use\r\nData Encrypted for\r\nImpact\r\nT1486 Play ransomware actors encrypt data on target systems to interrupt availability to\r\nsystem and network resources.\r\nFinancial Theft   \r\nT1657\r\nPlay ransomware actors use a double-extortion model for financial gain.\r\nUpdate June 4, 2025:\r\nBelow is a copy of YARA rules related to the ESXi variant:\r\nrule PlayForESXi\r\n{\r\n  meta:\r\n    description = \"Detects PLAY ransomware targeting ESXi Hypervisors\"\r\n    date = \"2025-01\"\r\n    filetype = \"elf\"\r\n    maltype = \"ransomware\"\r\n  strings:\r\n    $encrypt_str = \"encrypt:\"\r\n    $first_step_str = \"First step is done.\"\r\n    $vmfs_path_str = \"/vmfs/volumes\"\r\n    $PLAY_ext_str = \".PLAY\" fullword\r\n    $stop_list_mode_str = \"stop list mode\"\r\n    $hosts_in_exclusion_str = \"hosts in exclusion:\"\r\n    $error_in_stop_list_str = \"Error, check stop list file, exit.\"\r\n    $complete_str = \"Complete.\"\r\n    $dev_urandom_path_str = \"/dev/urandom\"\r\n    $targeted_ext_vmdk = \".vmdk\" fullword\r\n    $targeted_ext_vmem = \".vmem\" fullword\r\n    $targeted_ext_vmsd = \".vmsd\" fullword\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\r\nPage 6 of 11\n\n$targeted_ext_vmsn = \".vmsn\" fullword\r\n$targeted_ext_vmx = \".vmx\" fullword\r\n    $targeted_ext_vmxf = \".vmxf\" fullword\r\n    $targeted_ext_vswp = \".vswp\" fullword\r\n    $targeted_ext_vmss = \".vmss\" fullword\r\n    $targeted_ext_nvram = \".nvram\" fullword\r\n    $targeted_ext_vmtx = \".vmtx\" fullword\r\n    $targeted_ext_log = \".log\" fullword\r\n    $vim_cmd_power_off_vms_str = \"vim-cmd vmsvc/power.off\"\r\n    $get_storage_shell_cmd_str = \"esxcli storage filesystem list \u003e storage\"\r\n    $get_machines_shell_cmd_str = \"vim-cmd vmsvc/getallvms \u003e machines\"\r\n  condition:\r\n    all of them\r\n}\r\nBelow are copies of YARA and Suricata rules related to Play’s custom data gathering tool, Grixba:\r\nrule GRXBA\r\n{\r\n  meta:\r\n    description = \"Detects the infostealer GRXBA version 1.1.3.0\"\r\n    date = \"2025-01\"\r\n    filetype = \"pe\"\r\n    maltype = \"infostealer\"\r\n  strings:\r\n    $GRB_NET_hex = { 47 52 42 5F 4E 45 54 }\r\n    $GRB_NET_exe_hex = { 47 52 42 5F 4E 45 54 2E 65 78 65 00 }\r\n    $Copyright_Zabbix_2023_hex = { 43 6F 70 79 72 69 67 68 74 20 5A 61 62 62 69 78 20 32 30 32 33 00 }\r\n    $GRB_NT_hex = { 47 52 42 5F 4E 54 00 }\r\n    $help_string_1_hex = { 48 65 6C 70 54 65 78 74 2B 46 69 6C 65 2E 74 78 74 2F 31 32 37 2E 30 2E 30 2E\r\n31 2D 31 32 37 2E 30 2E 30 2E 32 35 35 2F 31 32 37 2E 30 2E 30 2E 31 2D 32 34 }\r\n    $help_string_2_hex = { 48 65 6C 70 54 65 78 74 5E 44 6F 6D 61 69 6E 20 6E 61 6D 65 20 66 6F 72 20 55\r\n73 65 72 73 20 61 6E 64 20 43 6F 6D 70 75 74 65 72 73 20 67 61 74 68 65 72 69 6E 67 2E 20 49 66 20 6E 6F 74 20\r\n73 65 74 20 77 69 6C 6C 20 62 65 20 75 73 65 64 20 64 6F 6D 61 69 6E 20 6F 66 20 63 75 72 72 65 6E 74 20 75 73\r\n65 72 }\r\n    $help_string_3_hex = { 48 65 6C 70 54 65 78 74 62 47 52 42 20 6D 6F 64 65 2E 20 73 63 61 6E 2F 73 63\r\n61 6E 61 6C 6C 2F 63 6C 72 2E 20 73 63 61 6E 20 2D 20 6E 65 74 77 6F 72 6B 20 73 63 61 6E 6E 65 72 2E 20 73 63\r\n61 6E 61 6C 6C 20 2D 20 67 72 61 62 20 61 6C 6C 2E 20 20 63 6C 72 20 2D 20 65 76 65 6E 74 20 6C 6F 67 73 20 63\r\n6C 65 61 6E 65 72 }\r\n    $help_string_4_hex = { 48 65 6C 70 54 65 78 74 3A 49 6E 70 75 74 3A 20 66 2F 72 2F 73 2E 20 66 20 2D\r\n20 66 69 6C 65 2C 20 72 20 2D 20 72 61 6E 67 65 2C 20 73 20 2D 20 73 75 62 6E 65 74 2C 20 64 20 2D 20 64 6F 6D\r\n61 69 6E }\r\n  condition:\r\n    all of them\r\n}\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\r\nPage 7 of 11\n\nRule Suricataalert smb any any -\u003e any any (noalert; content:\"|55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00\r\n6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63\r\n00 61 00 6c 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00\r\n77 00 73 00 5c 00 57 00 65 00 62 00 43 00 61 00 63 00 68 00 65 00|\"; flow:to_server;\r\nflowbits:set,GRXBA_webhist_path_1_detected ;sid:1900002; rev:1;)\r\nalert smb any any -\u003e any any (noalert; content:\"|55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00\r\n55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 52 00 6f 00 61 00 6d 00 69\r\n00 6e 00 67 00 5c 00 4d 00 6f 00 6f 00 6e 00 63 00 68 00 69 00 6c 00 64 00 20 00 50 00 72 00 6f 00 64 00 75 00\r\n63 00 74 00 69 00 6f 00 6e 00 73 00 5c 00 50 00 61 00 6c 00 65 00 20 00 4d 00 6f 00 6f 00 6e 00 5c 00 50 00 72\r\n00 6f 00 66 00 69 00 6c 00 65 00 73 00|\"; flow:to_server; flowbits:set,GRXBA_webhist_path_2_detected\r\n;sid:1900003; rev:1;)\r\nalert smb any any -\u003e any any (noalert; content:\"|55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00\r\n55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 52 00 6f 00 61 00 6d 00 69\r\n00 6e 00 67 00 5c 00 43 00 6f 00 6d 00 6f 00 64 00 6f 00 5c 00 49 00 63 00 65 00 44 00 72 00 61 00 67 00 6f 00\r\n6e 00 5c 00 50 00 72 00 6f 00 66 00 69 00 6c 00 65 00 73 00|\"; flow:to_server;\r\nflowbits:set,GRXBA_webhist_path_3_detected ;sid:1900004; rev:1;)\r\nalert smb any any -\u003e any any (noalert; content:\"|55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00\r\n55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c\r\n00 5c 00 54 00 65 00 6e 00 63 00 65 00 6e 00 74 00 5c 00 51 00 51 00 42 00 72 00 6f 00 77 00 73 00 65 00 72 00\r\n5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61 00|\"; flow:to_server;\r\nflowbits:set,GRXBA_webhist_path_4_detected ;sid:1900005; rev:1;)\r\nalert smb any any -\u003e any any (noalert; content:\"|55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00\r\n55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c\r\n00 5c 00 56 00 69 00 76 00 61 00 6c 00 64 00 69 00 5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61\r\n00|\"; flow:to_server; flowbits:set,GRXBA_webhist_path_5_detected ;sid:1900006; rev:1;)\r\nalert smb any any -\u003e any any (noalert; content:\"|55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00\r\n55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c\r\n00 5c 00 43 00 6f 00 63 00 43 00 6f 00 63 00 5c 00 42 00 72 00 6f 00 77 00 73 00 65 00 72 00 5c 00 55 00 73 00\r\n65 00 72 00 20 00 44 00 61 00 74 00 61 00|\"; flow:to_server; flowbits:set,GRXBA_webhist_path_6_detected\r\n;sid:1900007; rev:1;)\r\nalert smb any any -\u003e any any (noalert; content:\"|55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00\r\n55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c\r\n00 5c 00 53 00 6f 00 67 00 6f 00 75 00 45 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 5c 00 57 00 65 00 62 00\r\n6b 00 69 00 74 00 5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61 00|\"; flow:to_server;\r\nflowbits:set,GRXBA_webhist_path_7_detected ;sid:1900008; rev:1;)\r\nalert smb any any -\u003e any any (noalert; content:\"|55 00 73 00 65 00 72 00 73 00 5c 00 44 00 65 00 66 00 61 00\r\n75 00 6c 00 74 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c 00 5c 00 56\r\n00 69 00 76 00 61 00 6c 00 64 00 69 00 5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61 00|\";\r\nflow:to_server; flowbits:set,GRXBA_webhist_path_8_detected; sid:1900009; rev:1;)\r\nalert smb any any -\u003e any any (noalert; content:\"|55 00 73 00 65 00 72 00 73 00 5c 00 44 00 65 00 66 00 61 00\r\n75 00 6c 00 74 00 20 00 55 00 73 00 65 00 72 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 52 00 6f\r\n00 61 00 6d 00 69 00 6e 00 67 00 5c 00 4f 00 70 00 65 00 72 00 61 00 20 00 53 00 6f 00 66 00 74 00 77 00 61 00\r\n72 00 65 00 5c 00 4f 00 70 00 65 00 72 00 61 00 20 00 53 00 74 00 61 00 62 00 6c 00 65 00|\"; flow:to_server;\r\nflowbits:set,GRXBA_webhist_path_9_detected ;sid:1900010; rev:1;)\r\nalert smb any any -\u003e any any (msg:\"GRIXBA web history scanning detected - potential indicator of imminent PLAY\r\nRansomware attack\"; flowbits:isset,GRXBA_webhist_path_1_detected; flowbits:isset,GRXBA_webhist_path_2_detected;\r\nflowbits:isset,GRXBA_webhist_path_3_detected; flowbits:isset,GRXBA_webhist_path_4_detected;\r\nflowbits:isset,GRXBA_webhist_path_5_detected;flowbits:isset,GRXBA_webhist_path_6_detected;\r\nflowbits:isset,GRXBA_webhist_path_7_detected; flowbits:isset,GRXBA_webhist_path_8_detected;\r\nflowbits:isset,GRXBA_webhist_path_9_detected; flowbits:set,GRXBA_hit_found; classtype:attempted-recon;\r\nsid:1900011; rev:1;)\r\nalert smb any any -\u003e any any (noalert; flowbits:isset,GRXBA_hit_found;\r\nflowbits:unset,GRXBA_webhist_path_1_detected;flowbits:unset,GRXBA_webhist_path_2_detected;flowbits:unset,GRXBA_webhist_path_3_detected;fl\r\nsid:1900012; rev:1;)\r\nEnd Update\r\nMitigations\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\r\nPage 8 of 11\n\nFBI, CISA, and ASD’s ACSC recommend organizations apply the following mitigations to limit potential adversarial use of\r\ncommon system and network discovery techniques and to reduce the risk of compromise by Play ransomware. These\r\nmitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National\r\nInstitute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and\r\nNIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and\r\nguidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity\r\nPerformance Goals for more information on the CPGs, including additional recommended baseline protections.\r\nThese mitigations apply to all critical infrastructure organizations and network defenders. FBI, CISA, and ASD’s ACSC\r\nrecommend that software manufacturers incorporate secure by design and default principles and tactics into their software\r\ndevelopment practices to limit the impact of ransomware techniques (such as threat actors leveraging backdoor\r\nvulnerabilities into remote software systems), thus, strengthening the security posture for their customers.\r\nFor more information on secure by design, see CISA’s Secure by Design webpage and joint guide.\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG\r\n2.F, 2.R, CPG 2.S] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the\r\ncloud).\r\nRequire all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to\r\ncomply with NIST’s standards for developing and managing password policies [CPG 2.C].\r\nUse longer passwords consisting of at least 15 characters and no more than 64 characters in length [CPG 2.B];\r\nStore passwords in hashed format using industry-recognized password managers;\r\nAdd password user “salts” to shared login credentials;\r\nAvoid reusing passwords;\r\nImplement multiple failed login attempt account lockouts [CPG 2.G];\r\nDisable password “hints”;\r\nRefrain from requiring password changes more frequently than once per year;\r\nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password\r\nresets. Frequent password resets are more likely to result in users developing password “patterns” cyber\r\ncriminals can easily decipher.\r\nRequire administrator credentials to install software.\r\nRequire multifactor authentication [CPG 2.H] for all services to the extent possible, particularly for webmail,\r\nvirtual private networks, and accounts that access critical systems.5\r\nKeep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and\r\ncost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching\r\nknown exploited vulnerabilities in internet-facing systems [CPG 1.E]. Organizations are advised to deploy the latest\r\nMicrosoft Exchange security updates. If unable to patch, then disable Outlook Web Access (OWA) until updates are\r\nable to be undertaken. 6\r\nSegment networks [CPG 2.F] to prevent the spread of ransomware. Network segmentation can help prevent the\r\nspread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting\r\nadversary lateral movement. 7\r\nIdentify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a\r\nnetworking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network\r\ntraffic, including lateral movement activity on a network [CPG 1.E]. Endpoint detection and response (EDR) tools\r\nare particularly useful for detecting lateral connections as they have insight into common and uncommon network\r\nconnections for each host.\r\nFilter network traffic by preventing unknown or untrusted origins from accessing remote services on internal\r\nsystems. This prevents actors from directly connecting to remote access services they have established for\r\npersistence. Also see Inbound Traffic Filtering: Technique D3-ITF – MITRE .\r\nInstall, regularly update, and enable real time detection for antivirus software on all hosts.\r\nReview domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts\r\n[CPG 1.A, 2.O].\r\nAudit user accounts with administrative privileges and configure access controls according to the principle of least\r\nprivilege [CPG 2.E].\r\nDisable unused ports [CPG 2.V].\r\nConsider adding an email banner to emails [CPG 2.M] received from outside your organization.\r\nDisable hyperlinks in received emails.\r\nImplement time-based access for accounts set at the admin level and higher. For example, the just-in-time (JIT)\r\naccess method provisions privileged access when needed and can support enforcement of the principle of least\r\nprivilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to\r\nautomatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual\r\nusers may submit their requests through an automated process that grants them access to a specified system for a set\r\ntimeframe when they need to support the completion of a certain task.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\r\nPage 9 of 11\n\nDisable command-line and scripting activities and permissions. Privileged escalation and lateral movement often\r\ndepend on software utilities running from the command line. If threat actors are not able to run these tools, they will\r\nhave difficulty escalating privileges and/or moving laterally [CPG 2.E].\r\nMaintain offline backups of data and regularly maintain backup and restoration [CPG 2.R]. By instituting this\r\npractice, an organization ensures they will not be severely interrupted, and/or only have irretrievable data.\r\nEnsure backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire\r\norganization’s data infrastructure [CPG 2.K].\r\nValidate Security Controls\r\nIn addition to applying mitigations, FBI, CISA, and ASD’s ACSC recommend exercising, testing, and validating your\r\norganization’s security program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise framework in\r\nthis advisory. FBI, CISA, and ASD’s ACSC recommend testing your existing security controls inventory to assess how they\r\nperform against the ATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Table 3 through Table 11).\r\n2. Align your security technologies against this technique.\r\n3. Test your technologies against this technique.\r\n4. Analyze your detection and prevention technologies performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by this\r\nprocess.\r\nFBI, CISA, and ASD’s ACSC recommend continually testing your security program at scale and in a production\r\nenvironment to ensure optimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nResources\r\nStopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources\r\nand alerts.\r\nResource to mitigate a ransomware attack: #StopRansomware Guide.\r\nNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment .\r\nReporting\r\nFBI, CISA, and ASD’s ACSC do not encourage paying a ransom as payment does not guarantee victim files will be\r\nrecovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other\r\ncriminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your\r\norganization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to a local\r\nFBI Field Office, FBI’s Internet Crime Complaint Center (IC3), or CISA via CISA’s 24/7 Operations Center\r\n(report@cisa.gov or 1-844-Say-CISA).\r\nAustralian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASD's\r\nACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au .\r\nDisclaimer\r\nThe information in this report is being provided “as is” for informational purposes only. CISA and FBI do not endorse any\r\ncommercial entity, product, company, or service, including any entities, products, or services linked within this document.\r\nAny reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or\r\notherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or FBI.\r\nReferences\r\n[1] Threat Hunter Team, “Play Ransomware Group Using New Custom Data-Gathering Tools,” Symantec Enterprise Blogs,\r\nSymantec, April 19, 2023, https://www.security.com/threat-intelligence/play-ransomware-volume-shadow-copy . \r\n[2] Trend Micro Research, “Play,” Trend Micro, July 21, 2023,\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play . \r\n[3] Trend Micro Research, “Play.” \r\n[4] Aleksandar Milenkoski, “Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade\r\nDetection,” SentinelLabs, September 8, 2022, https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/ . \r\n[5] See also Protect Yourself: Multi-Factor Authentication – Cyber.gov.au .\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\r\nPage 10 of 11\n\n[6] See also Patching Applications and Operating Systems – Cyber.gov.au .\r\n[7] See also Implementing Network Segmentation and Segregation – Cyber.gov.au . \r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\r\nPage 11 of 11\n\n$GRB_NET_hex = $GRB_NET_exe_hex { 47 52 42 5F 4E 45 54 = { 47 52 42 5F 4E } 45 54 2E 65 78 65 00 }  \n$Copyright_Zabbix_2023_hex = { 43 6F 70 79 72 69 67 68 74 20 5A 61 62 62 69 78 20 32 30 32 33 00 }\n$GRB_NT_hex = { 47 52 42 5F 4E 54 00 }   \n$help_string_1_hex = { 48 65 6C 70 54 65 78 74 2B 46 69 6C 65 2E 74 78 74 2F 31 32 37 2E 30 2E 30 2E\n31 2D 31 32 37 2E 30 2E 30 2E 32 35 35 2F 31 32 37 2E 30 2E 30 2E 31 2D 32 34 }  \n$help_string_2_hex = { 48 65 6C 70 54 65 78 74 5E 44 6F 6D 61 69 6E 20 6E 61 6D 65 20 66 6F 72 20 55\n73 65 72 73 20 61 6E 64 20 43 6F 6D 70 75 74 65 72 73 20 67 61 74 68 65 72 69 6E 67 2E 20 49 66 20 6E 6F 74 20\n73 65 74 20 77 69 6C 6C 20 62 65 20 75 73 65 64 20 64 6F 6D 61 69 6E 20 6F 66 20 63 75 72 72 65 6E 74 20 75 73\n65 72 }     \n$help_string_3_hex = { 48 65 6C 70 54 65 78 74 62 47 52 42 20 6D 6F 64 65 2E 20 73 63 61 6E 2F 73 63\n61 6E 61 6C 6C 2F 63 6C 72 2E 20 73 63 61 6E 20 2D 20 6E 65 74 77 6F 72 6B 20 73 63 61 6E 6E 65 72 2E 20 73 63\n61 6E 61 6C 6C 20 2D 20 67 72 61 62 20 61 6C 6C 2E 20 20 63 6C 72 20 2D 20 65 76 65 6E 74 20 6C 6F 67 73 20 63\n6C 65 61 6E 65 72 }     \n$help_string_4_hex = { 48 65 6C 70 54 65 78 74 3A 49 6E 70 75 74 3A 20 66 2F 72 2F 73 2E 20 66 20 2D\n20 66 69 6C 65 2C 20 72 20 2D 20 72 61 6E 67 65 2C 20 73 20 2D 20 73 75 62 6E 65 74 2C 20 64 20 2D 20 64 6F 6D\n61 69 6E }     \ncondition:     \nall of them     \n}     \n  Page 7 of 11   \n\n https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a  \n[6] See also Patching Applications and Operating Systems-Cyber.gov.au .\n[7] See also Implementing Network Segmentation and Segregation- Cyber.gov.au .\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a   \n  Page 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a"
	],
	"report_names": [
		"aa23-352a"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439112,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c50899905c6538b141bdcc2cc212f5f4d7c3706.pdf",
		"text": "https://archive.orkl.eu/6c50899905c6538b141bdcc2cc212f5f4d7c3706.txt",
		"img": "https://archive.orkl.eu/6c50899905c6538b141bdcc2cc212f5f4d7c3706.jpg"
	}
}