CYBEREAON published a new analytical report, which studies the activities of the Playboy Locker RAAS platform. The service is a serious call for organizations, since it provides ready-made tools for attacks even to those who do not have technical skills in cybercrime.
Playbo Locker first appeared in September 2024 at the Darknet forum, where its creators began with the search for beta testers. After a short time, a partnership program with a classic RAAS model was launched: 85% of the ransom is received by partners, 15% – the service operator. Such a system allows beginners to run complex attacks using ready-made tools, including binary assemblies, control panels and technical support.
Playboy Locker feature was the presence of a malware designer through which you can assemble executable files aimed at Windows, NAS and ESXI systems. The tool provides flexible settings and is regularly updated, which makes it difficult to detect antiviruses. Partners are offered hints on the spread of harmfulness, technical support and access to the administrator panel with the ability to manage victims and chat systems.
Technical analysis showed that the Playbo Locker Windows version is written on C ++ and uses the HC-128 and Curve25519 cipher ligaments. The harmfulness implements a multi-flow line for encryption of files, knows how to remove shadow copies through VSSADMIN, completes dozens of processes and services, including popular applications and backup systems. The goals list are processes from Skype, Chrome and Firefox to Oracle and Veeam. There is also automatic distribution inside the Active Directory domain through LDAP, with the ability to launch service on remote hosts.
For NAS and ESXI systems, separate versions have been developed. On the ESXI Playboy Locker is able to complete virtual machines, start in the demon mode and exclude certain pathways from encryption. NAS provides for encryption along the specified path with minimal setting. The size of the executable files is minimal – about 70 kb.
After performing the malware, it creates a file with instructions called instructions.txt in each unencrypted catalog. At the end of the operation, the program initiates self-evidence through the command line, masking its presence.
The report also published Heshi of malicious files that can be used to detect infection, as well as protection recommendations. Among them:
- tracking the activity of partners;
- the use of multifactorial authentication (MFA);
- regular backup;
- installation of updates;
- participation of incident response commands.