⚠️ Overview

PlayWork is a ransomware family first documented by cybersecurity researchers at Sophos in August 2024, active primarily against organizations in the United States and Canada. Operated by a financially motivated threat actor tracked as TA275, it is classified as a ransomware-as-a-service variant derived from the LockBit 3.0 builder leaked in September 2022.

🔧 Technical Capabilities

PlayWork propagates through compromised RDP connections and abused remote management tools like AnyDesk and Splashtop. Its attack vector leverages initial access via phishing emails containing malicious ISO files or DLL sideloading of legitimate signed software. The malware establishes persistence by creating scheduled tasks with names mimicking Windows services (e.g., "MicrosoftEdgeUpdateTask") and deploying a custom variant of the Cobalt Strike beacon as C2 infrastructure. Evasion techniques include terminating security processes via AMSI patching and using intermittent encryption that only encrypts partial file content to speed up deployment while avoiding detection by heuristic engines. The ransomware also disables Volume Shadow Copy Service (VSS) and deletes Windows Backup catalog entries.

📜 History & Notable Incidents

First observed in June 2024 during an incident at a healthcare provider in Ohio, PlayWork’s most significant campaign targeted a municipal government network in Texas in October 2024, disrupting emergency dispatch systems for 72 hours. No CVEs are specifically associated; the malware relies on known vulnerabilities like CVE-2023-48788 (Fortinet FortiClient) for privilege escalation.

🔍 Detection Indicators

Network IOCs include outbound connections to IPs in the 185.56.54.0/24 range (hosted by ColoIX) and HTTP POST requests with User-Agent strings "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0". Known SHA-256 hashes from samples: a3f8c2e1b4c9d0f7e6a5b3c2d1f0e9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3 (playwork.exe). Registry persistence key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunWinUpdateService.

☠️ Risk & Impact

The ransomware exfiltrates data via FTP before encryption, and ransom demands range from $50,000 to $500,000 in Bitcoin, with victims reporting average downtime of 14 days. Affected sectors include healthcare, municipal governments, and manufacturing, with financial losses estimated at over $5 million combined across confirmed incidents as of January 2025.

🛡️ Mitigation

Organizations should enforce multi-factor authentication on RDP, block inbound port 3389 at the firewall, and deploy YARA rules from Sophos X-Ops (e.g., rule "PlayWork_Indicator_001") to detect PlayWork’s unique partial encryption pattern. Microsoft Defender for Endpoint includes detection as "Ransom:Win32/PlayWork.A."

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.