Play attacks Venture Plastics

Incident Date: Oct 20, 2023

Attack Overview
VICTIM
Venture Plastics
INDUSTRY
Manufacturing
LOCATION
USA
ATTACKER
Play
FIRST REPORTED
October 20, 2023

The Play Ransomware Gang's Attack on Venture Plastics

The Play ransomware gang has attacked Venture Plastics. Venture Plastics is a plastic injection molding company that provides custom injection molding and value-added manufacturing services. It specializes in producing plastic parts and components for a wide range of industries, including automotive, consumer goods, industrial, medical, and more. Play posted Venture Plastics to its data leak site on October 20th, threatening to publish all stolen data by October 24th if the organization fails to pay an unspecified ransom.

Background on Play Ransomware

Play (aka PlayCrypt) is a RaaS emerged in the summer of 2022 and is noted for having similarities to Hive and Nokoyawa ransomware strains. Play often compromises unpatched Fortinet SSL VPN vulnerabilities to gain access. Play has been observed leveraging Process Hacker, GMER, IOBit and PowerTool to bypass security solutions as well as PowerShell or command script to disable Windows Defender.

Notable Attacks and Techniques

Play made headlines with high-profile attacks on the City of Oakland, Argentina's Judiciary and German hotel chain H-Hotels, as well as exfiltrating data from Fedpol and the Federal Office for Customs and Border Security (FOCBS). Play is an evolving RaaS platform known to leverage PowerTool to disable antivirus and other security monitoring solutions and SystemBC RAT for persistence. Play is known to leverage tools like Cobalt Strike for post-compromise lateral movement and SystemBC RAT executables and legitimate tools Plink and AnyDesk to maintain persistence, as well as Mimikatz and living-off-the-land binaries (LOLBins) techniques. Play also abuses AdFind for command-line queries to collect information from a target’s Active Directory.

Play first introduced the intermittent encryption technique for improved evasion capabilities. Play also developed two custom data exfiltration tools - the Grixba information stealer and the open-source VSS management tool AlphaVSS - that improve efficiency in exfiltrating sensitive information on the targeted network, as well the open-source VSS management tool AlphaVSS. Play has been observed leveraging exploits including ProxyNotShell, OWASSRF and a Microsoft Exchange Server RCE.

Geographical Focus and Tactics

Play ransomware gang has mainly focused attacks in Latin America, especially Brazil, but have attack outside of that region. Play was observed to be running a worldwide campaign targeting managed service providers (MSPs) in August in an attempt to leverage their remote monitoring and management (RMM) tools to infiltrate customer networks. Play employs tactics similar to both the Hive and Nokoyawa ransomware gangs and engages in double extortion by first exfiltrating victim data with the threat to post it on their “leaks” website.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.