Ransomware attacks have become one of the most aggressive forms of cybercrime, posing significant risks to organizations worldwide. Among the notorious ransomware groups, the Play ransomware has gained considerable notoriety due to its aggressive tactics and substantial impact since its emergence in June 2022. Play ransomware leverages sophisticated malware tools and techniques to infiltrate systems, encrypt data, and demand a ransom, leaving victims in a state of operational chaos.
The Intrusion Attempt
The article “How Trend Micro Managed Detection and Response Pressed Pause on a Play Ransomware Attack” by Trent Bessell highlights a remarkable instance where Trend Micro’s Managed Detection and Response (MDR) team successfully intercepted a highly coordinated intrusion attempt. Utilizing the Vision One platform, malicious activity was first detected through the Apex One Endpoint Protection Platform (EPP). This proactive identification allowed the MDR team to respond swiftly and effectively, thereby preventing significant operational disruption and data loss.
The initial breach was identified when Vision One Workbench alerts flagged a command-and-control tool, SYSTEMBC, located in the “C:\Users\Public\Music\” directory of a Windows server. SYSTEMBC is a proxy malware capable of delivering other payloads, including ransomware. Despite the backdoor being quarantined, the attacker’s access persisted through the use of legitimate logon credentials, indicating a sophisticated level of intrusion. The ability of Trend Micro’s systems to swiftly detect these anomalies marked the beginning of a series of defensive measures that would thwart the attackers’ complex strategies.
Advanced Attack Techniques
The Play ransomware group utilized several advanced techniques, underscoring the sophistication of modern cyber threats. One of these tactics involved using legitimate administrative tools and modifying system settings in ways that would typically go unnoticed.
An interesting tactic employed by the Play ransomware group involved the use of legitimate administrative tools like PsExec and modifications to Remote Desktop Protocol (RDP) settings via Windows Registry changes. This strategy, known as “living-off-the-land,” involves using existing system tools to conduct operations stealthily, making it difficult for conventional security measures to identify and stop the malicious activities. PsExec, a legitimate tool used for running programs on remote systems, was deployed to the same directory used for SYSTEMBC. Additionally, the attackers modified the Windows Registry to enable RDP access by changing the “fdenyTSConnections” value. This dual approach of using legitimate tools and altering system settings enabled the attackers to maintain a low profile within the victim’s network.
Custom Tool – GRIXBA
Another layer of complexity was added through the use of a custom tool named GRIXBA. Introduced onto the host as GT_NET.exe, GRIXBA performed network reconnaissance to identify accessible hosts and archive collected data. The use of custom tools like GRIXBA presents both challenges and opportunities for cybersecurity defenders. For attackers, custom tools like GRIXBA provide stealth and evasiveness, as they are tailored to specific intrusions and often obfuscated to avoid detection by signature-based defenses. However, defenders can leverage the detection of such tools for early attribution, aiding in understanding the attacker’s tactics, techniques, and procedures (TTP).
Custom tools enable defenders to perform behavioral analysis as signature-based detection often fails. By focusing on the intentions behind activities rather than specific tools, behavior monitoring and predictive machine learning (PML) offer insights into potential tool changes, improving the effectiveness of defense mechanisms.
Effective Mitigation and Containment
Trend Micro’s MDR team, through continuous monitoring and timely response, ensured rapid notification and the implementation of defensive measures by the affected organization. This collaboration effectively prevented subsequent steps that could have resulted in data collection, exfiltration, and encryption. One notable instance was the blockage of an attempt to dump the running LSASS process memory via Task Manager by the Apex One EPP agent’s Behavior Monitoring (BM) module.
The episode highlights the critical importance of proactive security measures in mitigating sophisticated cyber threats. The concerted efforts of Trend Micro’s MDR service, with its 24/7/365 coverage, underscore the necessity of continuous vigilance and immediate response in safeguarding against ransomware attacks. The capability of Trend Micro’s Managed Detection and Response team to halt such an invasive and well-coordinated attack serves as a testament to their advanced defensive strategies and the power of their Vision One platform.
Recommended Mitigation Strategies
Given the evolving nature of ransomware threats, cybersecurity agencies like the FBI, CISA, and ASD’s ACSC provide several key strategies to limit adversarial activities. These include regular system updates and patching, network segmentation, multi-factor authentication (MFA), continuous network traffic monitoring, regular and secure data backups, and robust endpoint protection solutions.
Frequent updates close vulnerabilities that attackers could exploit, while network segmentation can contain the spread of ransomware, minimizing damage. MFA adds an extra layer of security, complicating unauthorized access. Continuous monitoring is necessary to detect unusual activity indicative of an intrusion, and regular, secure backups ensure data recoverability post-attack. Robust endpoint protection similarly helps detect and block malicious activities at individual endpoints.
Real-Life Application and Preventative Measures
Ransomware attacks have rapidly evolved into some of the most aggressive and damaging forms of cybercrime, posing severe threats to businesses and institutions around the globe. These attacks can disrupt daily operations, compromise sensitive data, and cause significant financial loss. Among these ransomware groups, Play ransomware has risen to prominence because of its ruthless tactics and significant impact since it appeared on the scene in June 2022.
Play ransomware employs advanced malware tools and highly sophisticated techniques to penetrate computer systems, encrypt vital data, and then demand hefty ransoms for its release. These attacks leave organizations in a state of chaos, unable to access critical information or continue their regular operations until they meet the attackers’ demands. The group’s success and notoriety can be attributed to its ability to adapt rapidly to security measures and exploit vulnerabilities in even the most well-protected networks.
The rise of Play ransomware serves as a stark reminder of the ongoing evolution of cyber threats and the necessity for robust cybersecurity measures. Companies and institutions must stay vigilant, continuously update their security protocols, and educate their employees on detecting and responding to these increasingly sophisticated attacks. While authorities and cybersecurity experts work tirelessly to combat this digital menace, the battle against ransomware remains a challenging and ever-changing landscape.