Introduction
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group. CISA Play Ransomware Advisory December 2023 Trend Micro Ransomware Spotlight Play July 2023
Activities and Tactics
Targeted Sectors: Healthcare, Education, Government, Technology
Country of Origin: 🏳️ Unknown
Risk Level: High
First Seen: 2022
Last Activity: 2025
Notable Campaigns
- Community-reported ransomware incident: April 2025, Retail, Canada (source: CR-016-PLAY-APR-2025.md)
Tactics, Techniques, and Procedures (TTPs)
- T1030 Data Transfer Size Limits
- T1016 System Network Configuration Discovery
- T1048 Exfiltration Over Alternative Protocol
- T1070.004 File Deletion
- T1059.003 Windows Command Shell
- T1059.001 PowerShell
- T1560.001 Archive via Utility
- T1018 Remote System Discovery
- T1057 Process Discovery
- T1027.010 Command Obfuscation
- T1587.001 Malware
- T1078.003 Local Accounts
- T1021.002 SMB/Windows Admin Shares
- T1685.005 Clear Windows Event Logs
- T1078 Valid Accounts
- T1105 Ingress Tool Transfer
- T1078.002 Domain Accounts
- T1082 System Information Discovery
- T1083 File and Directory Discovery
- T1518.001 Security Software Discovery
- T1133 External Remote Services
- T1588.002 Tool
- T1190 Exploit Public-Facing Application
- T1003.001 LSASS Memory
- T1657 Financial Theft
- T1685 Disable or Modify Tools
Ransomware Vulnerability Matrix observations
| Category | Vendor | Product | CVEs |
|---|---|---|---|
| Network Edge | Fortinet | FortiOS | CVE-2018-13379 |
| Network Edge | Fortinet | FortiOS SSL VPN | CVE-2020-12812 |
| Microsoft Products | MS Server Products | Exchange On-Prem | CVE-2022-41040, CVE-2022-41082 |
| Microsoft Products | MS Server Products | Exchange On-Prem | CVE-2022-41080 |
| Applications | SimpleHelp | SimpleHelp RMM | CVE-2024-57727 |
ATT&CK technique IDs (denormalized)
- T1003.001
- T1016
- T1018
- T1021.002
- T1027.010
- T1030
- T1048
- T1057
- T1059.001
- T1059.003
- T1070.004
- T1078
- T1078.002
- T1078.003
- T1082
- T1083
- T1105
- T1133
- T1190
- T1518.001
- T1560.001
- T1587.001
- T1588.002
- T1657
- T1685
- T1685.005
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- CyberGate:
- Cyber Eye RAT:
- Archelaus Beta:
- RemoteCMD:
- Remote Utilities:
- RemotePC:
MITRE ATT&CK Software
- Nltest (S0359) — tool
- AdFind (S0552) — tool
- PsExec (S0029) — tool
- Empire (S0363) — tool
- Wevtutil (S0645) — tool
- Cobalt Strike (S0154) — malware
- Playcrypt (S1162) — malware
- BloodHound (S0521) — tool
- Mimikatz (S0002) — tool
Ransomware Tool Matrix observations
| Category | Observed tools |
|---|---|
| Credential Theft | HandleKatz, Mimikatz, Nanodump |
| Defense Evasion | EDRKill (echo_driver.sys + DBUtil 2.3), GMER, IOBit, PCHunter, PowerTool, icardagt.exe |
| Discovery | AdFind, WKTools |
| Exfiltration | WinSCP |
| LOLBAS | PsExec |
| Networking | Fast Reverse Proxy Client (FRPC), Plink |
| OffSec | Cobalt Strike, WinPEAS |
Attribution and Evidence
Country of Origin: Unknown Additional attribution information pending cataloguing.
References
[1] mitre-attack [2] CISA Play Ransomware Advisory December 2023 CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024. [3] Trend Micro Ransomware Spotlight Play July 2023 Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.