The Play Ransomware Group, also known as Play, PlayCrypt, or Playcrypt, is a cybercriminal organization responsible for a global wave of ransomware attacks since its emergence in June 2022. The group specializes in double-extortion tactics, where they both encrypt a victim’s data and exfiltrate sensitive information, threatening to publish it unless a ransom is paid.
Tactics and Operations
• Double Extortion: Play encrypts files and exfiltrates data, threatening to leak information on their public Tor-based leak site if the ransom is not paid.
• Intermittent Encryption: Instead of encrypting entire files, Play encrypts only parts of files, making detection harder for security systems and allowing attacks to proceed stealthily.
• Victim Communication: Victims are typically instructed to contact the group via email; ransom demands are not always specified upfront.
• Ransomware-as-a-Service (RaaS): Recent research indicates Play has shifted toward a RaaS model, allowing other cybercriminals to use their ransomware toolkit in exchange for a share of the profits.
Targets and Impact
• Global Reach: Play has targeted organizations in North America, South America, Europe, and Australia, including the United States, United Kingdom, Germany, France, Switzerland, Argentina, and more.
• Sector Diversity: Victims include large enterprises, government agencies, medical institutions, financial organizations, manufacturing, education, telecommunications, media, and critical infrastructure.
• Notable Attacks: The group has been linked to high-profile breaches such as those against the City of Oakland, the Swiss government, Dallas County, and the judiciary of Córdoba, Argentina.
Attack Methods
• Initial Access: Play exploits vulnerabilities in remote access tools (e.g., RDP servers), Fortinet FortiOS, Microsoft Exchange (ProxyNotShell), and remote monitoring and management (RMM) software like SimpleHelp.
• Lateral Movement: The group uses commodity tools (AnyDesk, NetScan, Advanced IP Scanner) and well-known offensive security frameworks (Cobalt Strike, Mimikatz) to move laterally and escalate privileges inside networks.
• Automation: Ransomware payloads are often deployed via Active Directory Group Policy Objects (GPO) and scheduled tasks to maximize impact.
Evolution and Current Threat
• Scale: As of May 2025, Play had breached approximately 900 organizations worldwide.
• Collaboration: Play is known to work with initial access brokers and other threat actors to exploit new vulnerabilities and expand its reach.
• RaaS Shift: The move to a RaaS model is likely to increase the frequency and diversity of attacks, as more cybercriminals gain access to Play’s tools and infrastructure.