play

1,268 tracked victims

·first seen 2022-11-26·last activity 2026-06-17

Group profile

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to other ransomwares, involving attacks such as Phishing, Exposed Services to the Internet, and Valid Account compromises.<br> <br> On April 19, 2023, the security company Symantec published two new tools developed by the Play group. These tools allow the malicious actor to enumerate and exfiltrate data from the internal network. The post mentions the following: 'Play threat actors use the .NET infostealer to enumerate software and services via WMI, WinRM, Remote Registry, and Remote Service. The malware checks for the existence of security and backup software, as well as remote administration tools and other programs, saving the information in .CSV files that are compressed into a .ZIP file for later manual exfiltration by threat actors.'Source: https://github.com/crocodyli/ThreatActors-TTPs

MITRE ATT&CK TTPs

TA0001

Initial Access

T1078Valid Accounts
Compromised VPN credentials used to authenticate directly to victim networks.
T1190Exploit Public-Facing Application
Play exploits vulnerabilities in Microsoft Exchange (ProxyNotShell CVE-2022-41040/CVE-2022-41082), FortiOS SSL VPN (CVE-2018-13379), and RDP to gain initial access.

TA0002

Execution

T1053.005Scheduled Task/Job: Scheduled Task
Scheduled tasks used for payload persistence and execution across compromised hosts.
T1059Command and Scripting Interpreter
T1059.001Command and Scripting Interpreter: PowerShell
PowerShell scripts used for payload execution and post-exploitation tooling deployment.

TA0005

Defense Evasion

T1027Obfuscated Files or Information
Play ransomware payloads are split into multiple parts to bypass AV scanning; parts reassembled on target systems.
T1070Indicator Removal
T1070.001Indicator Removal: Clear Windows Event Logs
Windows event logs wiped to remove forensic evidence using wevtutil.
T1484Domain or Tenant Policy Modification
T1484.001Domain or Tenant Policy Modification: Group Policy Modification
T1562.001Disable or Modify Tools
Security tools including Windows Defender and AV products disabled prior to encryption.

TA0006

Credential Access

T1003OS Credential Dumping
T1003.001OS Credential Dumping: LSASS Memory
Mimikatz and similar tools used for LSASS memory dumping to harvest credentials.
T1003.003OS Credential Dumping: NTDS
NTDS.dit extracted from domain controllers to obtain all domain account hashes.
T1552Unsecured Credentials

TA0007

Discovery

T1016System Network Configuration Discovery
T1046Network Service Discovery
Network scanning tools used to enumerate hosts, services, and potential lateral movement targets.
T1087.002Account Discovery: Domain Account
Active Directory enumeration to identify privileged accounts and high-value targets.
T1518Software Discovery
T1518.001Software Discovery: Security Software Discovery

TA0008

Lateral Movement

T1021.001Remote Services: Remote Desktop Protocol
RDP used for lateral movement across victim networks.
T1021.002Remote Services: SMB/Windows Admin Shares
PsExec and SMB used to propagate payloads laterally.
T1570Lateral Tool Transfer

TA0009

Collection

T1560Archive Collected Data
T1560.001Archive Collected Data: Archive via Utility
WinRAR used to compress and archive stolen data prior to exfiltration.

TA0010

Exfiltration

T1048Exfiltration Over Alternative Protocol
WinSCP and Rclone used to exfiltrate data to actor-controlled infrastructure and cloud storage ahead of encryption.

TA0011

Command and Control

T1219Remote Access Software
Cobalt Strike, SystemBC, and AnyDesk used as C2 frameworks for persistent access.

TA0040

Impact

T1486Data Encrypted for Impact
Play ransomware uses AES-RSA hybrid encryption. Files appended with .play extension. Targets Windows and Linux/ESXi environments. Double extortion model with data published on Play leak site. Notable for NOT including ransom note in individual encrypted files — single note left at root of C: drive.
T1489Service Stop
Database, mail, backup, and security services terminated before encryption to ensure maximum file access.
T1490Inhibit System Recovery
Shadow copies deleted and Windows recovery disabled to prevent victim restoration of files.
T1657Financial Theft

Recent victims

showing 50 of 1,268

Date	Website / victim	Sector	Country
2026-06-17	Greg Crosslinwww.destinlegal.com	Not Found	US
2026-06-17	Integrated Technologieswww.itc4u.com	Technology
2026-06-17	eurOptimumwww.europtimum.com	Technology	DE
2026-06-10	Mundt and Associateswww.mundtinc.com	Business Services	US
2026-06-10	Rainbow Distributors USAwww.rainbowdistributorsusa.com	Consumer Services	US
2026-05-12	Pearson Fordwww.pearsonford.com	Transportation/Logistics	GB
2026-06-04	Urschel Laboratorieswww.urschel.com	Agriculture and Food Production	US
2026-06-02	Dallis Law Firmwww.dallislawfirm.com	Business Services	US
2026-05-29	The Chapelwww.thechapel.com	Not Found	US
2026-05-29	Corley MFGwww.corleymfg.com	Manufacturing	US
2026-05-11	Digitall Graphicswww.digitallgraphics.ca	Technology	CA
2026-05-20	Hightower Communicationswww.hightowernc.com	Telecommunication	US
2026-05-20	GW Mechanicalwww.gwmechanical.com	Business Services	US
2026-04-21	NL Fisherwww.nlfisher.com	Agriculture and Food Production	NL
2026-05-19	Round Hill Country Clubwww.rhcountryclub.com	Hospitality and Tourism	US
2026-05-15	Legend Networking & Telecomwww.legendnt.com	Telecommunication	US
2026-05-17	MyPillowwww.mypillow.com	Consumer Services	US
2026-05-01	De Waard Transportwww.dewaardtransport.nl	Transportation/Logistics	NL
2026-05-05	Zuther Hautmannwww.z-h.de	Not Found	DE
2026-04-20	Infoworld Membership Systemswww.imsmars.com	Technology
2026-05-04	Town Car Internationalwww.towncarinternational.com	Transportation/Logistics	US
2026-04-28	Northern Mechanical Contractorswww.northernmc.com	Construction	CA
2024-03-06	ACC Constructionwww.acc-construction.com	Construction	US
2026-05-01	IWC Food Servicewww.goiwc.com	Agriculture and Food Production	US
2026-05-09	Ashcroft Homeswww.ashcrofthomes.ca	Construction	CA
2024-03-06	DURAND-WAYLANDwww.durand-wayland.com	Manufacturing	US
2026-04-28	K & E Distributingwww.kedistributing.com	Transportation/Logistics	US
2026-04-30	Accessoires Outillage Lteewww.aolaml.com	Manufacturing	CA
2026-05-02	EMA Engineering & Consultingwww.emaengineer.com	Business Services	US
2026-04-06	Crystal Pointwww.crystalpoint.com	Not Found	US
2026-04-06	Morphosiswww.morphosis.com	Technology	US
2026-02-04	Barnes Solicitors LLPwww.barnessolicitors.co.uk	Business Services	GB
2026-03-05	Sokolinwww.sokolin.com	Consumer Services	US
2026-03-24	Brokkwww.brokk.com	Manufacturing	SE
2024-03-06	Colorado Constructionwww.colorado-group.com	Construction	US
2024-03-06	Lucky Lookwww.lucky-look-media.de	Consumer Services	DE
2026-03-24	Weber Kracht & Chellewwww.wkclaw.net	Business Services	US
2026-03-23	Specfluewww.specflue.com	Manufacturing	GB
2025-03-16	Kivellswww.kivells.com	Construction	GB
2026-03-30	Dock Proswww.dockprosinc.com	Transportation/Logistics	US
2026-01-12	Ampex Data Systemswww.ampex.com	Technology	US
2026-03-20	Valley Plating Incwww.valleyplatinginc.com	Manufacturing	US
2026-03-21	Witt UK Groupwww.wittukgroup.co.uk	Manufacturing	GB
2026-03-18	TPIS Industrial Serviceswww.teamtpis.com	Manufacturing	US
2026-03-19	All Real Estate Title Solutionswww.aretsifl.com	Business Services	US
2026-03-24	Roxiticus Golf Clubwww.roxiticus.com	Hospitality and Tourism	US
2026-03-16	Pinnaclewww.pinnacle.tax	Not Found	US
2026-03-13	Ascent Asset Groupwww.ascentasset.com	Financial Services	US
2024-03-06	Capital Wholesale Drugwww.capital-drug.com	Healthcare	US
2026-03-24	Block Engineeringwww.blockeng.com	Technology	US