Play Ransomware Group Targeting MSPs Worldwide in New Campaign

Attackers use remote monitoring and management tools at MSPs to gain unfettered access to target networks.

The fast-rising Play ransomware group that
targeted the City of Oakland
earlier this year is now hitting managed service providers (MSPs) around the globe in a cyberattack campaign to distribute ransomware to their downstream customers.
One troublesome aspect of the campaign is the threat actors use of intermittent encryption — where only parts of a file are encrypted — to try and evade detection.
Plays targets appear to be midsized businesses in the finance, legal, software, shipping, law enforcement, and logistics sectors in the US, Australia, UK, Italy, and other countries, Adlumin said in a report this week. Researchers at Adlumin who are tracking the campaign as PlayCrypt say the attacker is also targeting state, local, and tribal entities in these countries as well.
As with other attacks involving MSPs, the Play or PlayCrypt group breaks into MSP systems and uses their remote monitoring and management (RMM) tools to get unfettered access to the networks and systems of customers of the MSPs. It is a tactic that other threat actors have used with substantial impact. The most notable example remains the REvil ransomware groups attack on multiple MSP via vulnerabilities in
Kaseyas Virtual System Administrator (VSA)
network monitoring tool. The attack resulted in the encryption of data on the systems of more than 1,000 customers of these MSPs.
Kevin OConnor, director of threat research at Adlumin, says his companys research shows the threat actors gain access to privileged management systems and RMM tools via a phishing campaign that targets employees at MSPs. [This] leads to compromise of their systems and access either through direct exploitation or credential harvesting and reuse he says.
Once the Play actors gain access to a customer environment — via the victims MSP — they move quickly to deploy additional exploits and broaden their foothold, Adlumin said in a report this week. In some cases, they have exploited vulnerabilities in Microsoft Exchange Server. Examples include
CVE-2022-41040
, a privilege escalation bug that attackers were exploiting before Microsoft had a fix for it and
CVE-2022-41082
, a remote code execution bug that was also a zero-day at the time of disclosure. Adlumin researchers have also observed Play actors exploit other relatively older vulnerabilities in Fortinet appliances — such as
CVE-2018-13379,
a five-year-old path traversal flaw in FortiOS and
CVE-2020-12812
, a security bypass flaw in FortiOS.
Plays other post-compromise tools include exploits for the
ProxyNotShell vulnerabilities
of 2022, service side request forgery (SSRF), and legitimate PowerShell scripts that allow the threat actor to camouflage malicious activity. Adlumin spotted the threat actor distributing executables via Group Policy Objects, scheduled tasks, and the PsExec utility for remote process execution.
Attackers leveraged the exploits post-initial compromise for lateral movement and internal spread, OConnor says. Initial compromise was through illegitimate access / usage of Remote Monitoring and Management (RMM) tools.
The Play ransomware tool itself is a pretty sophisticated piece of work, according to Adlumin. One feature that merits special attention is its use of intermittent encryption to make data inaccessible on victim systems. With intermittent encryption, only certain fixed segments of data in a target file gets encrypted. The approach allows for faster encryption — a fact that threat actors like because it means they can accomplish their task faster —while also rendering data inaccessible for victims.
However, intermittent encryption is also not foolproof. Research from CyberArk on files encrypted in this manner reveals that sometimes it is possible to recover data with files that are constructed a certain way. The company
released a free tool in May 2023
that gives victims of ransomware groups such as Play a chance at reconstructing locked up data without having to pay to get a decryption key.
Play is among a small set of attackers that has begun using the intermittent encryption approach. Adlumin has assessed it was actually the first one to adopt the ploy. Others include the operators of BlackCat, DarkBit, and BianLian.
OConnor says Adlumins telemetry shows that Play likely began operations around June 2022. The companys monitoring of Plays leak site on TOR shows that the threat group has claimed at least 150 victims so far in over one dozen companies.
Other vendors tracking the group have described it as a rapidly emerging threat but one with a tighter focus area. In recent reports, both
Trend Micro
and
SOCRadar,
for instance, identified Latin America as Plays primary focus area. Adlumin definitely does not observe that to be the current case with the groups targeting and the majority of victims now appear to be US or at least US/Europe based, OConnor noted.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Play Ransomware Group Targeting MSPs Worldwide in New Campaign