Ongoing Play Ransomware Attack—What You Need To Know

By Davey Winder, Senior Contributor Jan 11, 2025,08:43am EST

As new reports confirm that the ransomware cyberattack threat is far from a thing of the past, and even the likes of LockBit which had been thought to have disbanded following law enforcement disruption has now confirmed a date for a return to action is just weeks away. Now, a new analysis has revealed the danger posed by ongoing Play ransomware attacks. Here’s what you need to know.

The Play Ransomware Attack Threat

Analysts from AhnLab have published an in-depth look at the Play ransomware threat, first detected in 2022 and responsible for more than 300 successful attacks worldwide from then on. Play ransomware, which the researchers warned remains actively in use, is so-called due to the use of a “.PLAY” extension given to the files it encrypts.

Linked to Andariel, a North Korean state-sponsored attack group that is part of the Democratic People’s Republic of Korea’s “Reconnaissance General Bureau,” Play would appear to be an integral part of its cyber arsenal.

The methods by which these ransomware actors gain initial access to target networks include, the researchers said, “abusing valid accounts or attacking vulnerabilities in exposed services.” Microsoft ProxyNotShell Exchange Server vulnerabilities (CVE-2022-41040, CVE-2022-41082) and those in Fortinet’s FortiOS (CVE-2020-12812, CVE-2018-13379) are known to have been used. So, ensuring that these are properly patched is vital.

Play attackers, the AhnLab report confirmed, gather information on active systems and port numbers of running services through port scanning methods. Active Directory information is then collected, and “attack paths for privilege escalation” identified using specialist tools. By using this privilege escalation to provide admin access, the attackers can then steal credential information to be used for lateral movement and ultimate domain environment control.

It’s not only state-sponsored Play attacks that are an ongoing concern to organizations everywhere, ransomware-as-a-service and double-extortion ransom tactics of all criminal gangs need to be considered. The Federal Bureau Of Investigation has warned users to be alert to the risk and recommended mitigation methods, including:

• Install updates for operating systems, software and firmware as soon as they are released.
• Require phishing-resistant, non SMS-based multi-factor authentication.
• Educate users to both recognize and report phishing attempts.

Play ransomware manages to evade detection using legitimate tools such as Process Hacker to disable security products where possible. “Many of the tools used in the process are not malware strains,” AhnLab researchers said, “but those that can also be used for legitimate purposes.” All making detection harder. Finally, a Play ransomware attack will encrypt an organization’s systems but also, as is the norm these days, exfiltrate information first so as to leverage extortion demands via leak sites.

 This story was originally featured on Forbes.com

Davey Winder

Senior Contributor | Cybersecurity

Follow me on Twitter or LinkedIn. Check out my website or some of my other work here. 

Davey has spent more than 30 years as a freelance technology journalist. The author of 25 published books, Davey’s work has appeared in The Times, The Sunday Times, The Guardian, The Observer, PC Pro, The Register, Infosecurity Magazine, SC Magazine, IT Pro and TechFinitive to name but a very few. 

Along the way, he has picked up a bunch of awards from his peers, including:

‘Most Educational Content’ (2021 European Blogger of the Year Awards) – ‘Cyber Writer of the Year’ (2020 Security Serious Awards) – ‘Enigma Award’ (2011 BT Security Awards)  – ‘Security Journalist of the Year’ (2010 BT Security Awards) – ‘Security Journalist of the Year’ (2008 BT Security Awards) – ‘Security Journalist of the Year’ (2006 BT Security Awards) – ‘Technology Journalist of the Year’ (1996 BT Technology Journalism Awards)