Demystifying the Playboy RaaS — Gijs Rijnders, Dutch National Police

Описание: Demystifying the Playboy RaaS

Presented at the VB2025 conference in Berlin, 24 - 26 September 2025.
↓ Slides: https://www.virusbulletin.com/uploads...
↓ Paper: https://www.virusbulletin.com/uploads...
→ Details: https://www.virusbulletin.com/confere...

✪ PRESENTED BY ✪

• Gijs Rijnders (Dutch National Police)

✪ ABSTRACT ✪

In recent years, ransomware has become one of the most prolific forms of cybercrime with financial gain as primary motive. The problem keeps getting bigger, with a new operation seeing the light almost every month. The Dutch National Police is often a key player in large-scale ransomware investigations. Operation Cronos is a prime example, where law enforcement took down infrastructure of the infamous LockBit group in 2024.

Today, many ransomware groups operate RaaS (ransomware-as-a-service) models. They provide the ransomware and a platform to extort victims as a service, and affiliated hacker groups carry out the actual attacks. The platform is often run from a VPS (virtual private server), and sometimes, this server is in the Netherlands. Dutch law enforcement seizes those servers and extracts their content for investigation. This happened to the Playboy ransomware in late 2024.

A chain of various tools is used to provide a ready-to-use ransomware package to affiliates of a RaaS program. Several modern ransomware operations even support CPU architectures and operating systems other than x86-64 and Windows. New cryptographic keys are generated for every victim, ransomware parameters are configured, and a builder creates the final package to be used by the affiliate. In this talk, we will reveal how we seized the Playboy ransomware servers, dive into its toolchain, and look at how executables were prepared to breach victims.