INSIDE PLAYBOY LOCKER: A SHORT-LIVED BUT ADVANCED RANSOMWARE-AS-A-SERVICE THREAT

PlayBoy Locker is a Ransomware-as-a-Service (RaaS) operation discovered by Cybereason, first observed in September 2024. This platform enables unskilled cybercriminals to launch ransomware attacks by providing them with complete toolkits, binary builders, dashboards, and support. Despite a seemingly promising launch, the operators unexpectedly shut down and attempted to sell the project after limited activity. Technically sophisticated, the ransomware supports Windows, NAS, and ESXi environments, and includes multi-threaded encryption, AD propagation, and shadow copy deletion.

Severity Level: High

THREAT DETAILS

1. Windows version of PlayBoy Locker is written in C++ and uses HC-128 + Curve25519 encryption algorithms. Notable features include – Multithreaded file encryption for performance, Segmented encryption, Shadow copy deletion (vssadmin delete shadows /all /quiet), Propagation via LDAP (Active Directory), Process/service termination, Wallpaper change and recycle bin wipe, and Self-deletion post-execution.
2. ESXi PlayBoy Locker version capabilities: Auto shutdown of VMs, Operates as a daemon, and Exclusion of files/paths.
3. NAS PlayBoy Locker version capabilities: Single-path encryption and Fully automated via builder.

BINARY DELIVERY & EXECUTION

1. Initial access via phishing emails, or compromised RDP endpoints.
2. Uses LDAP scanning to find and infect network-connected systems.
3. Installs a Windows service remotely to run the ransomware executable.

ABUSE OF RSTRTMGR DLL LOADING (RESTART MANAGER)

1. Before starting file encryption PlayBoy Locker abuses RstrtMgr DLL to stops services and processes such as:
2. Antivirus tools (e.g., Sophos)
3. Office tools: winword.exe, excel.exe, powerpnt.exe
4. Backup solutions: veeam, GxVss, GxCVD
5. Communication apps: Skype, Telegram, Outlook

FILE ENCRYPTION

1. Uses multi-threading to speed up encryption process
2. Targets documents, media, databases, and other sensitive formats
3. Creates a ransom note: INSTRUCTIONS.txt in affected directories
4. After encryption, attempts self-deletion to evade detection

Recommendations:

1. Make sure your systems are regularly patched in order to mitigate vulnerabilities
2. Monitor for LDAP scanning activity, especially from non-directory admin hosts.
3. Restrict RDP exposure to the internet; use VPNs and enforce IP allow-listing.
4. Enforce strict outbound filtering, especially for TOR or known .onion DNS resolution.
5. Prevent shadow copy deletions using EDR rules (monitor use of vssadmin, wmic, diskshadow).
6. Enable MFA (Multi-Factor Authentication) on all remote access and administrative interfaces.
7. Establish offsite or offline backups and test restore procedures regularly to ensure operational continuity under attack scenarios.
8. Use immutable storage where possible to protect critical data from tampering.
9. Disable Windows service installation from untrusted hosts.
10. Block the IOCs at their respective controls

SOURCES:

• https://www.virustotal.com/gui/collection/04d98819e43c66fa52d685b4397aa74c382caafdd9c232199eceb8e2dcd60dd2/iocs
• https://www.cybereason.com/blog/threat-analysis-playboy-locker

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.