New bullies on the block: They don’t PLAY nice.

In mid-November 2022, #Sophos X-Ops responded to an incident where PLAY #ransomware, also known as #PlayCrypt, was found in an under-protected environment.

PLAY is a relatively new ransomware variant, first reported in mid-July of 2022. It deploys a variety of commonly abused tools, similar to other Ransomware-as-a-Service (RaaS) deployments such as Hive or Nokoyawa. In this thread we’ll walk through what Sophos X-Ops researchers @bencrypted and @th3_protoCOL saw in their analysis – a process our Rapid Response team observed in reverse, starting their work with this customer when they were called in at the 14-day mark.

The IoCs provided in this writeup are available on our Github: https://github.com/sophoslabs/IoCs.

#threatintel #infosec #ioc #SophosXOps

I've had a look at #Play, aka #PlayCrypt #ransomware. And it seems to me that there is more than meets the eye when it comes to negotiations management. At first, it looks like "just" e-mail. But I suspect there's more to it than just that. More about it in this piece (sorry, it's in French): https://www.lemagit.fr/actualites/252527798/Play-ce-nouveau-ransomware-utilise-contre-les-Alpes-Maritimes-et-ITS-Group