Analyzing Play and LockBit: The Top Ransomware Threats Facing Retailers

November 07, 2024 5 Minute Read

This blog is the latest in a series that delves into the deep research conducted daily by the Trustwave SpiderLabs team on major threat actor groups currently operating globally.

Retailer databases are chock-full of information that makes them highly attractive targets for ransomware gangs, as highlighted by Trustwave SpiderLabs in its recent 2024 Trustwave Risk Radar Report: Retail Sector.

Trustwave SpiderLabs' research revealed that LockBit and Play ransomware were the top two ransomware groups targeting this sector. However, LockBit, which has been the leading variant in this category, is losing ground to Play and other ransomware types and gangs. The report noted that in 2023, LockBit was responsible for 34% of all attacks, while Play was responsible for 9%. In 2024, the duo accounts for 30% of all attacks, with 15% each.

LockBit and its variants have been top-tier ransomware threats since 2020, while Play is a relative newcomer, actively in use since 2022.

With the holidays approaching and retailers concerned about all manners of theft, let's take a look how Trustwave SpiderLabs and CISA break down Play and LockBit, including how each operates, and the defensive steps that can be taken.

Let's Play

According to CISA and the FBI, Play (aka Playcrypt) has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.

The Play ransomware group is believed to operate as a closed entity, ensuring the confidentiality of its operations, as stated on its data leak website. They use a double-extortion tactic, encrypting systems after stealing data. Instead of specifying a ransom amount or payment instructions in their notes, they direct victims to reach out via email.

Breaking Down Play

1. Initial Access
   The Play ransomware group gains initial access to victim networks by abusing valid accounts and exploiting public-facing applications. They specifically target known vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell CVE-2022-41040 and CVE-2022-41082). Additionally, they use external-facing services like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.
2. Discovery and Defense Evasion
   To gather information and evade defenses, Play ransomware actors use tools such as AdFind for Active Directory queries (TA0007) and Grixba, an information-stealer, to enumerate network information and scan for antivirus software. They also employ tools like GMER, IOBit, and PowerTool to disable antivirus software and remove log files. In some cases, they use PowerShell scripts to target Microsoft Defender.
3. Lateral Movement and Execution
   Play ransomware actors use legitimate command-and-control (C2) applications, including Cobalt Strike and SystemBC, as well as PsExec, to assist with lateral movement and file execution. They search for unsecured credentials and use the Mimikatz credential dumper to gain domain administrator access. To further identify vulnerabilities, they use Windows Privilege Escalation Awesome Scripts (WinPEAS). Executables are distributed via Group Policy Objects.
4. Exfiltration and Encryption
   Play ransomware actors split compromised data into segments and use tools like WinRAR to compress files into .RAR format for exfiltration. They then use WinSCP to transfer data from the compromised network to actor-controlled accounts. After exfiltration, files are encrypted with AES-RSA hybrid encryption using intermittent encryption, encrypting every other file portion of 0x100000 bytes. System files are skipped during encryption. A .play extension is added to filenames, and a ransom note titled ReadMe[.]txt is placed in the file directory C:.
5. Impact
   The Play ransomware group employs a double-extortion model, encrypting systems after exfiltrating data. The ransom note instructs victims to contact the group via an email address ending in @gmx[.]de. Ransom payments are made in cryptocurrency to wallet addresses provided by the actors. If the ransom is not paid, the actors threaten to publish the exfiltrated data on their leak site on the Tor network.

Play Time is Over

The FBI and CISA recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Play ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).

Some recommendations include:

• Create and implement a recovery plan.
• Require all accounts with password logins to comply with NIST's standardsfor developing and managing password policies.
• Require multifactor authentication.
• Keep all operating systems, software, and firmware up to date.

• Segment networks.
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network monitoring tool.

• Filter network traffic.
• Maintain offline backups of data and ensure backup data is encrypted.

LockBit: The Aging Champ

LockBit is a formidable ransomware-as-a-service provider and among the most active in the world, measured by the number of victims claimed on its Dark Web site. The FBI has recorded about 1,700 attacks, netting around $91 million from its victims.

Trustwave SpiderLabs research noted the ransomware is continuously upgraded, version 3.0 is now in use, and it is an opportunistic attacker, that leverages double extortion techniques as part of the attack to pressure victims into paying the ransom. However, it does have a language parameter it follows and will not attack sites using Russian, Belarusian, Tajik, Armenian, among other former Soviet Republics.

LockBit has continuously updated its malware, with LockBit 3.0, aka LockBit Black, being the current version in mainstream use. This version is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware, according to CISA.

Some of the methods LockBit uses to successfully attract affiliates include, but are not limited to:

• Assuring payment by allowing affiliates to receive ransom payments before sending a cut to the core group, which stands in stark contrast to other RaaS groups who pay themselves first and then disburse the affiliates' cut.
• Disparaging other RaaS groups in online forums.
• Engaging in publicity-generating stunts, such as paying people to get LockBit tattoos and offering a $1 million bounty on information related to the real-world identity of LockBit's lead, who goes by the persona "LockBitSupp."
• Developing and maintaining a simplified, point-and-click interface for its ransomware, making it accessible to those with a lower degree of technical skill.

Based on secondary sources, CISA noted that affiliates exploit older vulnerabilities like CVE-2021-22986, F5 iControl REST unauthenticated Remote Code Execution Vulnerability, as well as newer vulnerabilities such as:

• CVE-2023-0669: Fortra GoAnyhwere Managed File Transfer (MFT) Remote Code Execution Vulnerability
• CVE-2023-27350: PaperCut MF/NG Improper Access Control Vulnerability

LockBit affiliates have been documented exploiting numerous CVEs, including:

• CVE-2021-44228: Apache Log4j2 Remote Code Execution Vulnerability
• CVE-2021-22986: F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability
• CVE-2020-1472: NetLogon Privilege Escalation Vulnerability
• CVE-2019-0708: Microsoft Remote Desktop Services Remote Code Execution Vulnerability
• CVE-2018-13379: Fortinet FortiOS Secure Sockets Layer (SSL) Virtual Private Network (VPN) Path Traversal Vulnerability.

Double Locked

When LockBit affiliates attack an organization that manages other companies' networks, CERT NZ (which partnered with CISA on its LockBit report) observed them attempt secondary ransomware extortion after deploying the LockBit variant on the primary target. Following the initial attack, LockBit affiliates proceed to extort the primary organization's customers by deploying secondary ransomware to disrupt the services these customers rely on. Additionally, these affiliates may further pressure the primary target's customers by threatening to release sensitive customer data.

Picking Apart LockBit

CISA noted in its advisory that implementing multiple mitigations with a defense-in-depth approach can help protect against ransomware.

To stop LockBit from gaining initial access, security teams should consider implementing sandboxed browsers to protect systems from malware originating from web browsing, implementing strong password protection guidelines, using an email security solution to filter malicious emails, and installing a web application firewall.

If access is gained, CISA noted organizations can still limit execution by developing and regularly updating comprehensive network diagrams, controlling and restricting network connections, enabling enhanced PowerShell logging, and configuring the Windows Registry to require UAC approval for any PsExec operations.

Privilege escalation can be limited or eliminated by disabling command-line and scripting activities and permissions, enabling Credential Guard, and implementing a local administrator password solution where possible.

Exfiltration of data can be interrupted by blocking connections to known malicious systems using a Transport Layer Security (TLS) Proxy. Malware often uses TLS to communicate with threat actors' infrastructure. By using feeds for known malicious systems, the establishment of a connection to a C2 server can be prevented. Additionally, CISA recommends using web filtering or a Cloud Access Security Broker (CASB) to restrict or monitor access to public file-sharing services that may be used to exfiltrate data from a network.

The final point made by CISA is to exercise, test, and validate your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in its advisory.

Trustwave Strengthens Partnership with Microsoft to Enhance Cybersecurity in APAC

Microsoft Copilot for Security Brings an AI Assist - Even to Your MDR Provider

$500,000 HHS Fine Underscores the Need for Security and Compliance in Healthcare