Ransomware Group

Play

Also known as: PlayCrypt, Play Ransomware

Status: active • First seen 2022-06300+ known victims

Play ransomware is one of the most active groups targeting businesses right now. They break in, steal your data, encrypt your files, and demand payment for both - if you don't pay, they publish your data online. They're known for targeting companies with 100-1000 employees that have valuable data but may have security gaps.

Overview

Play ransomware is a highly active group known for targeting medium and large organizations with double extortion tactics. They maintain a professional operation with consistent victim communication and have been particularly active against North American and European businesses.

Target Industries

Manufacturing, Professional Services, Technology, Healthcare, Construction, Retail

How They Attack

  • Exploiting exposed RDP and VPN services
  • Compromised valid accounts
  • Exploiting unpatched vulnerabilities (Fortinet, Microsoft Exchange)
  • Using AdFind and Grixba for reconnaissance
  • Cobalt Strike for lateral movement

Notable Victims

City of Oakland (2023), Rackspace (2022), Arnold Clark (UK car dealer), Multiple Swiss organizations, Various municipal governments

Is your business exposed?

How to Protect Against Play

  1. 1.

    Secure or disable exposed RDP services

  2. 2.

    Patch Fortinet and Microsoft Exchange immediately

  3. 3.

    Enable MFA on all VPN and remote access

  4. 4.

    Monitor for Cobalt Strike beacons

  5. 5.

    Maintain tested, offline backups

  6. 6.

    Review admin account usage and privileges

MITRE ATT&CK Techniques

T1190, T1078, T1486, T1133, T1021

Related Groups

Lockbit, Blackcat, Clop, Black Basta

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices