The ransomware strain known as Play is now being offered to other threat actors "as a service," new evidence unearthed by Adlumin has revealed.
"The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it," the cybersecurity company said in a report shared with The Hacker News.
The findings are based on various Play ransomware attacks tracked by Adlumin spanning different sectors that incorporated almost identical tactics and in the same sequence.
This includes the use of the public music folder (C:\...\public\music) to hide the malicious file, the same password to create high-privilege accounts, and both attacks, and the same commands.
Play, also called Balloonfly and PlayCrypt, first came to light in June 2022, leveraging security flaws in Microsoft Exchange Server – i.e., ProxyNotShell and OWASSRF – to infiltrate networks and drop remote administration tools like AnyDesk and ultimately deploy the ransomware.
Besides using custom data gathering tools like Grixba for double extortion, a notable aspect that set Play apart from other ransomware groups was the fact that the operators in charge of developing the malware also carried out the attacks.
The new development, therefore, marks a shift and completes its transformation into a RaaS operation, making it a lucrative option for cybercriminals.
"When RaaS operators advertise ransomware kits that come with everything a hacker will need, including documentation, forums, technical support, and ransom negotiation support, script kiddies will be tempted to try their luck and put their skills to use," Adlumin said.
"And since there are probably more script kiddies than 'real hackers' today, businesses and authorities should take note and prepare for a growing wave of incidents."