The Play ransomware began its activities in June 2022. Since then, many businesses and government institutions have fallen victim to the Play ransomware.
Among them is the Judiciary of Cordoba in Argentina. A large case that involved companies such as Microsoft, Cisco and Trend Micro for the investigation into the attack.
Because of the event, the IT system of the Cordoba Court had to close temporarily and employees resumed the use of pen and paper to send official documents.
In March, the Judiciary of Cordoba had already suffered an attack by the Lapsus$ ransomware, where employees’ emails were leaked. The exact entry point of this recent attack is not known, but researchers surmise that the Play group may have used leaked emails to conduct phishing campaigns and steal access credentials.
Based on recent attacks by the Play group, including the one on the Judicial Power of Cordoba, we can analyze some characteristics of the Play ransomware.
We know that the encryption used in the Play group attacks is very robust. In fact, the malware uses a hybrid RSA and AES type encryption, combining the strengths of both types of encryption.
In addition, the ransomware executable is highly obfuscated with various anti-analysis techniques, quickly making the Play ransomware invisible to virus protection programs.
With these techniques, the ransomware is able to do all its encryption and lateral movement work to generate maximum damage on the victim’s system. All this without arousing any suspicion on the part of the user or the machine.
After encrypting the file, the ransomware adds the extension “.play” to the original file name. Once the file is renamed, it becomes inaccessible.
So far, there have been no leaks from the Play group of files allegedly stolen during attacks. Which leads researchers to conclude that perhaps there is no theft of the data before the encryption is done.
What reinforces this idea is the ransom note left by the attackers at the root of the disk (C:\). It is common that in ransomware attacks, the attacks leave a ransom note with instructions on how to contact the group, pay the ransom, and of course certain dire threats such as pressure to pay the ransom.
However, the group behind the Play ransomware has taken a very different approach. Yes, a ReadMe.txt text file is generated in the environment, but its content is ridiculously short and boils down to two simple lines. Name, contact email and nothing else.
Recover files encrypted by Play ransomware
Digital Recovery has been in the data recovery market for over 23 years and is positioned today as one of the best alternatives in the ransomware attack landscape.
Established in 6 countries, we have been able to bring our support and technology to help hundreds of ransomware attack victims around the world.
We have been able to develop unique solutions that allow us to recover ransomware-encrypted data on any storage device such as databases, servers, RAID systems, virtual machines, storage devices, and more.
Our team is composed of efficient professionals who are passionate about new challenges.
We value confidentiality and act in the project with the necessary secrecy because we know how valuable a company’s data is. And, of course, we provide our clients with a confidentiality agreement (NDA).
In most cases we operate entirely remotely. So wherever you are, Digital Recovery may have the solution for you.
Just contact our team and we will perform an advanced diagnostic for the recovery of your data.