Ransomware

Play Ransomware

First seen: 2022 • Status: active

Currently Active Threat

Play ransomware is a newer threat that breaks into organizations, steals data, then encrypts everything while threatening to release secrets online.

Overview

Play ransomware is a double extortion ransomware that gained prominence attacking Latin American government entities. It uses intermittent encryption for speed and targets domain controllers.

Also Known As

PlayCrypt, Play

How It Spreads

  • RDP exploitation
  • Fortigate vulnerabilities
  • Microsoft Exchange exploits
  • Phishing

What It Does

  • Double extortion
  • Intermittent encryption
  • Domain controller targeting
  • Data exfiltration
  • Backup deletion

Is your business exposed?

Target Platforms

Windows

Detection Tips

  • Monitor for .play file extensions
  • Check for suspicious RDP activity
  • Review Exchange server logs
  • Analyze domain controller access

MITRE ATT&CK Techniques

T1486, T1190, T1021, T1003, T1490

If You're Infected

  1. 1.

    Isolate affected systems immediately

  2. 2.

    Identify and patch exploited vulnerabilities

  3. 3.

    Assess data exfiltration scope

  4. 4.

    Engage incident response for recovery

Related Malware

Lockbit3, Blackcat, RoyalRansomware

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices