Fortinet Community

Introduction

Play emerged in June 2022 as a new ransomware family and an associated ransomware group. The FortiGuard Incident Response (IR) and MDR teams have observed Play ransomware activity targeting customers predominantly in LATAM. This aligns with reporting from FortiGuard Labs[1] and Trend Micro[2]. Based on our team’s observations of recent intrusions from Play operators, the most likely initial access vector for current campaigns is through exploitation of vulnerabilities in Microsoft Exchange servers. This also aligns with activity reported by Intrinsec[3] and CrowdStrike[4] which identified new techniques used to target vulnerable Microsoft Exchange servers.

The Play ransomware itself is a C++ based executable. The executable does not need to run as administrator, like many other malware families, but running as administrator will result in more thorough encryption of victim files. The ransomware encryption process is simple in that it only performs the file encryption function. This is different compared to majority of other currently circulating ransomware families that typically incorporate additional functionality to improve the effectiveness of the encryption process. In the case of Play ransomware deployments these functions are performed but are performed through other means before the deployment of the ransomware.

This article outlines how FortiEDR detects and mitigates execution of Play ransomware and its subsequent encryption behavior. This article also provides some FortiEDR Threat Hunting queries that can be used to identify telemetry associated with known Play ransomware samples and a set of IOCs associated with Play samples analyzed in this article.

Pre-execution

In observed Play ransomware intrusions, the Play ransomware executable was distributed around a compromised network over SMB and then executed through the use of PSExec, a Windows administration tool used for remote execution. FortiEDR detects and blocks attempts by the OS to read malicious executables regardless of the process that attempts to execute them so will detect this method of execution. There are two parts to FortiEDR’s detection for malicious executables; firstly, file hashes are checked against FortiGuard AV signatures to detect known malware and secondly, executables are submitted to Fortinet Cloud Services (FCS) where they are analyzed using machine learning and detonated in a number of online sandboxes (including FortiSandbox). In the case of the analyzed Play ransomware, the sample was detected based on a known signature as shown in Figure 1 below.

Figure 1. FortiEDR detects the file read attempt for the Play ransomware executable (alBC5u.exe) as a ‘Malicious File Detected’ event. This is because this executable matches a FortiGuard AV signature.

To test the second type of detection the Play sample was padded with additional data to change its hash and then re-executed. As we can see from the screenshot in Figure 2 below, this event was also detected as a malicious file read event as machine learning analysis in FCS identified malicious indicators and gave the executable a high likelihood of being malware. This behavior is important to highlight as it demonstrated FortiEDR’s ability to detect new variants of known malware, such as Play ransomware, without a known signature.

Figure 2. FortiEDR also detects a modified version of the Play ransomware sample without a known AV signature through machine learning analysis.

Encryption Activity

To demonstrate how FortiEDR detects and mitigates ransomware even if it is allowed to execute, FortiEDR Prevention mode was disabled allowing the ransomware to execute in an unrestricted manner resulting in the following events. Play ransomware performs its encryption using the overwrite method, meaning it overwrites files directly and then renames them to include the ‘.PLAY’ file extension. This behavior typically results in a slower encryption compared to the copy and delete method but provides a more robust method of preventing access to unencrypted files by ensuring unencrypted files cannot be retrieved from slack space.

FortiEDR detects the file encryption activity performed by the Play ransomware with the File Encryptor rule within the Ransomware Protection security policy. An example of this type of event can be seen in Figure 3 below.

Figure 3. FortiEDR detects multiple file write and rename events performed by Play ransomware as it encrypts files on a victim endpoint. This behavior is detected a File Encryptor activity and would be blocked by FortiEDR if it were in Prevention mode.

As highlighted in Figure 3 above the FortiEDR security event aggregated these file rename attempts into a single event to minimize analyst alert fatigue. To get more granular information on affected files the FortiEDR Threat Hunting interface can be used. By searching for the name of the ransomware executable we can identify related Threat Hunting telemetry. As we can see in Figure 4 below, Each file rename and file write event performed by the ransomware process is available to determine what files have been encrypted. Note. the numbers are different between the Threat Hunting data in Figure 4 and the security event aggregated data above in Figure 3 as the aggregated data includes aggregated data from prior testing.

Figure 4. FortiEDR Threat Hunting interface showing telemetry related to execution of a Play ransomware executable. Note the high volume of File Rename and File Write events indicative of ransomware execution.

As part of the encryption process the main Play ransomware process attempts to connect to and encrypt files on connected network shares. These connections are performed from API calls within the main executable and authentication is attempted using the privileges associated with the executing user. These network connection attempts are detected and mitigated by FortiEDR rules within the Exfiltration Prevention security policy as show below in the event below in Figure 5.

Figure 5. FortiEDR detects and mitigate network access attempts from Play ransomware as it attempts to connect to remote SMB shares to encrypt accessible files.

In addition to the standard FortiEDR security events, FortiEDR Threat Hunting telemetry can also provide additional insight into attempted network connections. These network connection attempts can be seen in FortiEDR Threat Hunting telemetry as shown in Figure 6 below. Of particular note this interface provides a simple way of quickly identifying affected servers using the in-built and auto-generated ‘facets’ (highlighted).

Figure 6. FortiEDR Threat Hunting interface filtered on Network events provides a simple way of quickly identifying potential targets for encryption over SMB shares.

Conclusion

From a behavioral perspective Play ransomware is a standard overwrite ransomware family capable of encrypting over connected SMB shares. As demonstrated in this article FortiEDR is able to detect and mitigate execution of this ransomware family and its subsequent encryption behavior. This detection capability is also present even if the particular variant does not match known FortiGuard AV signatures due to FortiEDR’s integration with Fortinet Cloud Services giving it access to machine learning engines and multiple online sandbox environments.

With this in mind detection of ransomware intrusions at the detonation stage of ransomware should be the last line of defense. Organizations should prioritize investing in security layers that support detection and mitigation of intrusions from ransomware operators before ransomware executables are deployed to minimize impact. FortiEDR or another modern EDR solution are the most effective way of providing detection and mitigation opportunities throughout the entire kill chain.

Threat Hunting

As highlighted in the above article this ransomware family focuses purely on encrypting files on a victim endpoint with victim preparation functions, such as disabling defender tools and service stops, performed through separate means prior to ransomware execution. This limits the behaviors exhibited by the ransomware itself resulting in limited opportunities to add additional detections through threat hunting telemetry. Regardless of this the below query has been included for completeness and could be repurposed to assist with IOC sweeps for other threats if required. This query will detect known Play ransomware samples in FortiEDR threat hunting telemetry based on some of the more recently observed file hashes. Note that this will need to be extended to include hashes for new samples as they become available.

Target.Process.File.SHA1:("4b75a0b2ef8a5175fada12399bd3df57013dbc31" OR "642da36b889e79887db75165ab2a12a4af2bbd84" OR "1eccb2b34925b2c9e858ab59d798e3a5324aebe2" OR "a8ed13fc4fc0dbcb0de867e80dfa14826598aee4" OR "8f5dd3cf8c15bf8a2dcd4ae6fc3c8e54fd7cfdff" OR "85d9072932bda1ddf398db830503ce9728ad487f")

MITRE ATT&CK Mapping

TA0040 - Impact

IOCs

[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware

[2] https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-anoth...

[3] https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/

[4] https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/