top of page
  • Inception Security

Play Ransomware Group

The Play ransomware group has been making headlines recently due to its use of a new method to exploit vulnerabilities in Microsoft Exchange. Dubbed the ProxyNotShell vulnerabilities (CVE-2022-41080 and CVE-2022-41082), this method exploits the Outlook Web Application frontend to reach the Powershell remoting service in Exchange. Researchers at CrowdStrike discovered this method while investigating recent Play ransomware incidents and dubbed it OWASSRF.


The Play group is a newer player in the ransomware scene, having been active since June. They are known for using a range of tactics to gain initial access to an organization's network, including:

  • Exploiting known valid accounts: This can occur when an employee falls victim to a phishing attack and inadvertently provides their login credentials to the attacker. Organizations must educate employees on the importance of not clicking on links or providing login credentials in response to suspicious emails.

  • Exposed Remote Desktop Protocol (RDP) servers: RDP is a proprietary protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. While RDP can be a helpful tool, it can also be a security risk if not correctly configured. It's essential for organizations to ensure that their RDP servers are not exposed to the internet and to implement strong authentication measures to prevent unauthorized access.

  • Vulnerabilities in FortiOS: In the past, the Play group has exploited known vulnerabilities in FortiOS, specifically CVE-2018-13379 and CVE-2020-12812. These vulnerabilities, if left unpatched, can provide attackers with a way into an organization's network.

Once the Play group has gained access to an organization's network, they use "lolbins" binaries to distribute executables within the internal network. "Lolbins" is a term used to describe legitimate binaries that attackers can abuse for malicious purposes. Some examples of "lolbins" that the Play group has been known to use include:

  • Group Policy Objects

  • Scheduled tasks

  • PsExec

  • Wmic

After gaining full access to the network, the Play group proceeds to encrypt files with the ".play" extension. This type of attack, known as ransomware, can have severe consequences for organizations. Ransomware attacks can result in the following:

  • Loss of access to essential data

  • Disruption of business operations

  • Financial loss

Organizations must have proper backup and recovery measures to protect against ransomware attacks.


It's worth noting that the Play group shares some tactics and tools with the Hive group. This is not the first time the Play group has made headlines for exploiting vulnerabilities. In the past, they have exploited known vulnerabilities in FortiOS, specifically CVE-2018-13379 and CVE-2020-12812. These vulnerabilities, if left unpatched, can provide attackers with a way into an organization's network.


Microsoft released patches for the ProxyNotShell vulnerabilities in November, which protect against both previously known and the newly discovered exploit method used by the Play group. Organizations must ensure that all their systems are updated with the latest patches to protect against these attacks.


In conclusion, the Play ransomware group is a newer player in the cybersecurity threat landscape. Still, they have already made a name for themselves by exploiting known vulnerabilities and using various tactics to gain initial access to an organization's network. Organizations must be vigilant and implement robust security measures to protect against these attacks. This includes educating employees on cybersecurity best practices, regularly patching systems, and having proper backup and recovery.


We are here to help!


Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies and small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and can provide value to your business immediately.


Contact Inception Security if your company is looking for advisory services.

bottom of page