REPLAY: Revisiting Play Ransomware Anti-Analysis Techniques

216.73.216.36

REPLAY: Revisiting Play Ransomware Anti-Analysis Techniques

· Published 09/08/2024 11:19 · Modified 09/08/2024 11:39

Essential information

Published: 09/08/2024 11:19
Modified: 09/08/2024 11:39
Tags: 2024-08-09 anti-analysis playcrypt ransomware
Related entities: 4 observables, 1 intrusion sets (apt), 7 techniques (mitre), 2 malware

Description

This analysis revisits the anti-analysis techniques employed by recent variants of the Play ransomware, which is known for targeting industries like healthcare and telecommunications across various regions. The report explains how the ransomware utilizes techniques like return-oriented programming (ROP), anti-disassembling tricks, junk code insertion, exploiting the Structured Exception Handling (SEH) mechanism, string obfuscation, and API hashing to hinder analysis and detection. Scripts developed by Netskope Threat Labs to aid in countering these techniques are also discussed.

External references

https://www.netskope.com/blog/replay-revisiting-play-ransomware-anti-analysis-techniques
https://otx.alienvault.com/pulse/66b5fb5b1e1327099012c06c