%20(1).webp?w=1600&resize=1600,900&ssl=1)
The PLAY ransomware group, a prolific cybercrime collective linked to North Korean state-sponsored actors, has intensified its U.S.-focused campaign by listing two new victims on its dark web portal: human resources firm Alcott HR Group and financial institution First Federal Savings & Loan Association.
The group threatens to publish stolen data on March 1, 2025, unless ransom demands are met, leveraging its signature double extortion model combining file encryption and sensitive data exfiltration.
This escalation follows PLAY’s compromise of over 300 organizations since 2022, including high-profile attacks on municipal governments and healthcare providers.
Technical Analysis of PLAY’s Attack Methodology
According to the post from FalconFeeds.io, PLAY operators infiltrated Alcott HR and First Federal using a multi-layered approach beginning with the exploitation of Fortinet SSL VPN vulnerabilities CVE-2018-13379 and CVE-2020-12812.
These flaws, patched in 2020 but persistently exploited due to un-updated systems, allowed bypassing multi-factor authentication (MFA) and downloading system files to harvest credentials.
The subsequent lateral movement utilized compromised domain administrator accounts and PsExec executions via Group Policy Objects (GPOs), enabling ransomware deployment across network shares.
Data Exfiltration and Encryption Tactics
The group deployed its custom .play ransomware variant, which employs intermittent encryption to evade detection—a technique that selectively encrypts file segments rather than entire documents.
Concurrently, PLAY exfiltrated 2.1 TB of sensitive HR records from Alcott and 890 GB of financial transaction data from First Federal, according to their dark web leak portal.
The ransomware’s kill chain included disabling endpoint protection via registry edits (e.g., DisableAntiSpyware DWORD modifications) and deleting Volume Shadow Copies to prevent recovery.
Coordination with DPRK-Aligned Threat Actors
Forensic artifacts from recent attacks, including shared command-and-control (C2) infrastructure at 68.235.184[.]54 and the use of DPRK-linked Mimidatz credential dumpers, corroborate PLAY’s ties to North Korean APT groups like Kimsuky.
This relationship enables resource pooling for high-impact attacks, particularly against entities with cyber insurance policies that increase the likelihood of ransom payments.
Implications for Targeted Sectors
Alcott HR’s breach exposes Personally Identifiable Information (PII) for 214,000 employees across client organizations, violating GDPR and CCPA compliance mandates.
First Federal’s compromise risks SWIFT transaction records and account details, potentially triggering FINRA penalties and liquidity crises if customer confidence erodes.
PLAY’s scheduled March 1 leak coincides with quarterly financial reporting deadlines, maximizing pressure on victims to negotiate.
Geopolitical Motivations
The dual targeting of HR and financial firms aligns with DPRK’s strategic priorities to acquire foreign currency through ransomware and disrupt Western economic infrastructure. Blockchain analysis reveals that 43% of PLAY’s ransom payments since 2023 were laundered through mixers linked to Lazarus Group wallets.
Mitigation Strategies and Industry Response
CISA has reissued alerts urging immediate patching of Fortinet VPNs and Microsoft Exchange servers vulnerable to ProxyNotShell (CVE-2022-41040) and OWASSRF (CVE-2022-41080) exploits used in PLAY’s reconnaissance phase.
Network segmentation between VPN gateways and domain controllers is recommended to contain credential harvesting.
Enhanced Monitoring and Backups
FalconFeedsio, restored after a January 2024 compromise, continues tracking PLAY’s leak site activity, noting a 17% increase in financial sector targeting since Q4 2024.
Organizations are advised to implement immutable backups with 3-2-1 redundancy and conduct weekly restoration drills to ensure resilience against encryption attacks.
As the March 1 deadline approaches, the FBI’s Cyber Division is coordinating with FS-ISAC to disseminate IOCs from recent campaigns, including ransomware binary hashes (e.g., SHA-256: a1b3c7…) and malicious IPs.
However, PLAY’s evolving tactics underscore the necessity for real-time threat intelligence integration and zero-trust architectures to combat one of 2025’s most formidable ransomware threats.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This%20escalation%20follows%20PLAY%E2%80%99s%20compromise%20of%20over%20300%20organizations,%20including%20high-profile%20attacks%20on%20municipal%20governments%20and%20healthcare%20providers.){kind=link}