• Home
  • Attack
  • Dataset
  • Contact Us
        • T1-24–01–S–N–CL
        • T2-24–01–S–N–CL
        • T3-24–01–S–N–CL
        • T4-24–01–S–E–M
        • T5-24–01–S–E–LM
        • T6-24–01–S–E–FH
        • T7-24–01–M–NE–CLM
        • T8-24–01–M–NE–CFHL
        • T9-24–01–M–NE–CLM
        • T1-24–02–S–N–CIKM
        • T2-24–02–S–N–CL
        • T3-24–02–S–N–CL
        • T4-24-02-S-E-M
        • T5-24-02-S-E-DL
        • T6-24-02-S-E-DEGN
        • T7-24-02-M-NE-CDEGLN
        • T8-24-02-M-NE-CDL
        • T9-24-02-M-NE-CLH
        • T1-25–01–S–N–CD
        • T2-25–01–S–N–CL
        • T3-25–01–S–N–CD
        • T4-25-01-S-E-FH
        • T5-25-01-S-E-CL
        • T6-25-01-S-E-CL
        • T7-25-01-M-NE-CDN
        • T8-25-01-M-NE-CLFH
        • T9-25-01-M-NE-CDFH
  • T6-25–01–S–E–CL

  • Ransomware (Play)

    Play (PlayCrypt) ransomware is distributed mainly as Windows executables (with Linux/ESXi variants observed) and, when executed, performs intermittent (partial-chunk) encryption of important files; encrypted files are typically saved with a .play extension or similar; the Advanced Encrpytion Standard(AES) file-encryption keys are protected using Rivest-Shamir-Adleman(RSA) encrpytion algorithm and held by the attacker (i.e., decryption requires the attacker’s private key).

    Key features:

    1. Encryption method — Uses AES (AES-256) for file encryption and RSA to protect the AES keys (hybrid symmetric/asymmetric design).
    2. Encryption behavior — Performs intermittent/partial encryption (only some chunks of files are encrypted) to speed up operation and evade detection.
    3. Scope & tactics — Carries out data exfiltration for double-extortion and targets not only user directories but also network drives, attached storage, and VM/ESXi hosts.

    •  


  • OS IP Software Log collection
    time    		 Program
    runtime
    Attacker - - - 133 sec 200 sec
    Victim Windows 10 (1903) 192.168.56.104 -

  • Installation
  • python3 -m pip install -r requirements.txt

  • Usage
  • ※ The instability of POC may cause intermittent remote connection fail.

    python3 run.py

  • MITRE ATT&CK Framework
  • Attack Tactic
    Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion
    Credential Discovery Lateral Movement Collection Command and Control Exfiltration Impact

  • Logs
  • ./log/2025_01_T6_{time}.evtx # YYmmdd_HHMMSS


  • References
  • [1] MITRE [Playcrypt]
    [2] virustotal

  • ※ Click on the attack name to see a description and scenario for the attack
    • 2025
    • T1-25–01–S–N–CD
    • T2-25–01–S–N–CL
    • T3-25–01–S–N–CD
    • T4-25–01–S–E–FH
    • T5-25–01–S–E–CL
    • T6-25–01–S–E–CL
    • T7-25–01–M–NE–CDN
    • T8-25–01–M–NE–CLFH
    • T9-25–01–M–NE–CDFH
  • Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.