Report highlights
- We show how a Play ransomware infection was quickly identified and contained via a swift and coordinated response by Trend Micro Managed Detection and Response (MDR).
- The Play ransomware group used the following malware tools: SYSTEMBC, a proxy malware that can deliver other payloads like ransomware, and GRIXBA, a custom tool meant to circumvent signature-based detections.
- In this particular attack, the ransomware group was also found weaponizing legitimate tools like PsExec and Remote Desktop Protocol (RDP). This is another example of the common cybercriminal technique called “living-off-the-land,” which enables threat actors to conduct stealthy attacks to avoid security detection.
Introduction
Ransomware threats have existed for some time now as one of the most pernicious forms of cybercrime. One particular ransomware group that has gained notoriety is the Play ransomware group, which has become known for its aggressive strategies and significant impact on various organisations since June 2022.
Earlier this year, Trend Micro Managed Detection and Response (MDR) identified a highly sophisticated and well-coordinated intrusion attempt that was related to the notorious Play ransomware group. Using the Trend Micro Vision One platform, the MDR team was able to quickly identify and respond to the threat. The swift and decisive actions effectively thwarted the attack, thereby preventing any potential data loss or operational impact. This incident underscores the critical importance of having robust cybersecurity measures in place to defend against increasingly complex cyberthreats.
Incident overview
Trend Micro MDR was first alerted to the breach via the triggering of Vision One Workbench alerts following the detection via the Apex One Endpoint Protection Platform (EPP) agent of a command-and-control tool identified as SYSTEMBC. The tool, which was dropped in the “C:\Users\Public\Music\” directory of a Windows server, is a proxy malware that uses SOCKS5 and can deliver other payloads, such as ransomware. Despite the backdoor being quarantined by the EPP agent, the threat actor still had access to the endpoint using valid logon credentials. The source host was identified as being from an IP address belonging to the victim’s virtual private network (VPN) subnet.
The threat actor transferred a legitimate administration tool, PsExec, from their attacking machine via the VPN. PsExec, which is designed to run programmes and execute commands on remote systems, was deployed to the same directory used to stage the previously detected SYSTEMBC binary.
The threat actor also altered Remote Desktop Protocol (RDP) settings through modifications made in the Windows Registry. This involved changing a specific registry value, “fdenyTSConnections”, as highlighted in the observed attack technique (OAT). This modification enabled RDP access on the host.
An additional tool, GT_NET.exe, was introduced on the host and executed, resulting in a series of network reconnaissance tasks to identify accessible hosts on the network. The resulting list of endpoints was placed into a file and archived to data.zip. This file was identified as GRIXBA after malware analysis was performed post its execution. GRIXBA is a custom tool that the Play ransomware group uses and provides. While the use of custom tools is not new, using them provide advantages for both an attacker and defender:
- Advantages for Attackers
-
- Stealth and Evasion: Custom tooling is often tailored to the intrusion, or packaged with obfuscation wrappers to avoid signature-based detections. Rapid development can be performed to avoid newly developed defensive techniques.
- Modular Functionality: Customs tools are often designed to be modular, deploying only necessary functionality dependent on the breached environment.
Advantages for Defenders
- Attribution: The detection of custom tooling can aid defenders applying early attribution back to the threat actor. This allows defenders to better understand the unique tactics, techniques and procedures employed and remain a step ahead of the adversary.
- Behavioural Analysis: With signature-based detections being a weaker method of detecting custom tooling, behaviour-based detections, such as behaviour monitoring (BM) or predictive machine learning (PML) help identify potential changes to the tooling by focusing on the intended goal and methods employed by the tooling.
Following this, an attempt was made to dump the running LSASS process memory via Task Manager. However, this action was successfully blocked by the Apex One EPP agent’s Behaviour Monitoring (BM) module. The BM module effectively detected the suspicious activity and intervened to prevent the sensitive LSASS process artefacts from being breached.
Timeline of Events
Through diligent and continuous monitoring of the victim organisation's environment, the Trend Micro MDR team was able to meticulously piece together the threat actor's activity. This comprehensive monitoring allowed the team to perform timely and effective response actions aimed at containing the threat. Additionally, they were able to notify the victim organisation promptly, ensuring that immediate measures could be taken. This swift and coordinated response ultimately prevented the Play ransomware group from achieving further objectives, such as data collection, exfiltration, and encryption, which could have resulted in severe data breaches and significant operational disruptions for the victim organisation.
Mitigation Strategies
The FBI, CISA, and ASD’s ACSC recommend organisations implement several key mitigations to limit potential adversarial use of common system and network discovery techniques. These measures are essential to reducing the risk of compromise by Play ransomware. Below is an overview of some of the recommended strategies:
- Regularly Update and Patch Systems: Ensure that all systems and software are up to date with the latest patches and updates. This helps close vulnerabilities that attackers could exploit.
- Implement Network Segmentation: Divide your network into segments to limit the spread of ransomware and other malicious activities. This can help contain the damage in case of an intrusion.
- Use Multi-Factor Authentication (MFA): Enforce the use of MFA for accessing critical systems and sensitive data. MFA adds an extra layer of security, making it harder for attackers to gain unauthorised access.
- Monitor Network Traffic: Continuously monitor network traffic for unusual activity that could indicate an intrusion. Use advanced threat detection tools to identify and respond to potential threats in real-time.
- Backup Data Regularly: Maintain regular backups of critical data and store them in a secure, offsite location. Ensure that backups are not connected to the main network to prevent ransomware from encrypting them as well.
- Deploy Endpoint Protection: Use robust endpoint protection solutions to detect and block malicious activities on individual devices. This includes utilising anti-malware and anti-ransomware tools.
Applying these mitigations can help organisations significantly reduce the risk of compromise by Play ransomware and other similar threats. For a comprehensive guide and detailed recommendations, refer to the #STOPRANSOMWARE Play Ransomware guide.
Conclusion
The successful detection and containment of the Play Ransomware intrusion highlight the vital importance of proactive security measures in today's digital landscape. This incident underscores the need for organisations to be vigilant and adopt comprehensive strategies, including Managed Detection and Response (MDR) services. By leveraging the Trend Micro MDR service, organisations benefit from continuous monitoring and expert analysis 24/7/365. Additionally, layered defences, using a range of security tools and practises as referenced in the #STOPRANSOMWARE guide, are essential to create a robust barrier against sophisticated and evolving cyber threats.
For further information on the Play ransomware group, read Trend Micro’s Ransomware Spotlight post to learn some interesting facts about the group.
Indicators of Compromise (IoC)
Name/Detail |
Indicator |
Trend Micro Detection/OAT |
SYSTEMBC |
File Name: Socks32.dll |
Backdoor.Win32.COROXY.SMRTI |
GRIXBA |
File Name: GT_NET.exe |
Trojan.MSIL.GRIXBA.A |
PsExec |
File Name: PsExec.exe |
OAT: Suspicious File Creation in Uncommon Folder |
Registry Modification |
Process Command: "C:\Windows\system32\reg.exe" add "\\<IP ADDRESS>\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f |
OAT: RDP Setting Modification Via Reg.exe |
LSASS Process Memory Dump |
Process File Path: C:\Windows\System32\Taskmgr.exe |
OAT: Dump LSASS Process Memory via Taskmgr
|