The Play Ransomware Gang's Attack on Intoximeters

The Play ransomware gang has attacked Intoximeters. Intoximeters is a breath alcohol tester manufacturer headquartered in St Louis, Missouri. It was founded in 1945 and primarily supplies law enforcement and the industrial occupational health sector. Play posted Intoximeters to its data leak site on June 27th, threatening to publish all stolen data on July 3rd if the organization fails to pay the ransom.

Background on Play Ransomware

Play ransomware (aka PlayCrypt) is a newer ransomware group that emerged in the summer of 2022 with high-profile attacks on the City of Oakland, Argentina's Judiciary, and German hotel chain H-Hotels. Play has similarities to Hive ransomware and is known to leverage tools like Cobalt Strike for post-compromise lateral movement and SystemBC RAT for persistence, as well as Mimikatz and living-off-the-land binaries (LOLBins) techniques. Play continued to increase attacks through the end of 2022 and into 2023.

Ransom Demands and Threats

There is little information on how much Play demands for a ransom, but they have made good on their threats to leak the data of those who refuse payment.

Technical Tactics and Exploits

Play is an evolving RaaS platform known to exploit a known Exchange vulnerability (CVE-2022-41080 - patched by Microsoft in November of 2022) that allows them to leverage a second vulnerability with a ProxyNotShell exploit (CVE-2022-41082) even if a patch had been applied, which then allows the attackers to execute code on the systems remotely. Play leverages PowerTool to disable antivirus tools and security monitoring solutions.