Play ransomware, also known as Balloonfly or PlayCrypt, has become a significant cybersecurity threat since its emergence in June 2022. Responsible for over 300 global attacks, this ransomware employs a double extortion model — stealing sensitive data before encrypting files and appending them with the “.PLAY” extension.
Victims are pressured to pay ransoms to recover their data and prevent its public release, making Play ransomware particularly dangerous for organizations worldwide.
Recent investigations have revealed possible connections between Play ransomware and the North Korean-linked Andariel group. Research by cybersecurity firm AhnLab suggests that Andariel utilizes malware like Sliver and DTrack for reconnaissance and data theft prior to deploying ransomware attacks. The group’s history with advanced ransomware strains such as SHATTEREDGLASS and Maui highlights the increasing sophistication of Play ransomware operations.
Exploitation of Security Vulnerabilities
Play ransomware exploits vulnerabilities in widely used systems to gain unauthorized access. Notable targets include:
- ProxyNotShell (CVE-2022-41040, CVE-2022-41082): Flaws in Microsoft Exchange Server exploited for initial network infiltration.
- FortiOS Vulnerabilities (CVE-2020-12812, CVE-2018-13379): Security gaps in Fortinet products leveraged for un
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from CySecurity News – Latest Information Security and Hacking IncidentsRead the original article: