Play Ransomware has posted a ransom warning on Empresa Argentina de Soluciones Satelitales Sociedad Anónima, usually known simply as ARSAT, Argentina’s state-owned telecommunications company, along with JMicron Technology, a Taiwanese integrated chip designing company.
Dark web researcher Dominic Alvieri tweeted the ransom note posted on the gang’s leak site. The post on 16 December gave a seven-day ultimatum for payment, with the threat to publish the data otherwise on 23- December. The details of the data accessed were not disclosed.
Play Ransomware posts JMicron Technology and ARSAT, Empresa Argentina de Soluciones Sateliatales.
— Dominic Alvieri (@AlvieriD) December 16, 2022
ARSAT, owned by the Argentine Ministry of Federal Planning, Public Investment and Services (98%) and the Ministry of Economy and Public Finances (2%), is the country’s telecom monopoly.
ARSAT currently controls major telecom and communication domains through the country wide digital terrestrial television network TDA, Argentine geostationary communication satellite system SSGAT, and federal fiber optics network RFFO.
The ransomware attack comes weeks after ARSAT signed an agreement with Paraguayan state-backed telecommunication company Copaco for launching cross-border connectivity.
Taiwan, semiconductor, and hackers
JMicron Technology is a Taiwanese manufacturer of integrated circuits, which produces controller chips for bridge devices that connects multiple LANs together.
The Taiwanese semiconductor industry has been in the cybersecurity news since researchers found that China-sponsored hackers compromised about seven chipmaker firms in a two-year campaign from 2018.
Researchers at Taiwanese cybersecurity firm CyCraft traced the attackers to mainland China and found links to state-sponsored hacker group Winnti, which also operate under aliases Barium and Axiom.
Play ransomware’s playbook
Play Ransomware, which differentiates itself with an unusual intermittent encryption technique, was in the news recently for its attack on the city of Antwerp, Belgium. Digipolis, the technology company that manages Antwerp’s IT systems, became Play’s victim this last week, disrupting the city’s IT, email, and phone services.
“Play is a new ransomware that takes a page out of Hive and Nokoyawa’s playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people,” read a recent assessment by Trend Micro.
The ransomware got its name from a quirk: it adds the extension “.play” after encrypting files. Even the ransom notes contain the word “PLAY” along with the group’s contact email address. In the latest instance, the heading was “PLAY NEWS”.
Although there are similarities with Hive and Nokoyawa, Play uses AdFind, a command-line query tool capable of collecting information from Active Directory (AD), as means of discovery, noted the Trend Micro report.