Play (aka PlayCrypt) first emerged in mid-2022, immediately distinguishing itself with sophisticated double-extortion attacks on high-value targets. Early victims included Latin American government entities (e.g. Argentina’s Cordoba judiciary). Researchers noted that Play’s tactics and malware bore striking resemblance to Russian-linked families (Hive, Nokoyawa), suggesting possible ties to those actors. Over the next three years the group expanded globally, striking sectors from local governments to logistics firms. For example, Dutch maritime logistics firm Royal Dirkzwager (ship registry and port info) confirmed a Play breach in March 2023. By May 2025 the FBI reported ~900 organizations hit in North/South America and Europe. Play’s public leak site (“Play News” on Tor) charts the victim timeline and countdowns for data release, effectively serving as both extortion pressure and a pseudo-timeline of attacks.
Play initially surfaced with victims posting on security forums by June 2022. Over 2022–2023 it targeted Latin American government and financial institutions, then broadened to U.S. and EU targets. Notable incidents include the 2023 Swiss government breach (1.3 million records stolen) and U.S. municipal attacks (Oakland, Dallas County). Trend reports and Wikis independently linked Play’s toolbox and playbook to those of Nokoyawa/Hive, reinforcing suspicions of a Russian nexus.
Tactics, Techniques, and Procedures (TTPs)
Play’s operators employ a full spectrum of advanced attack TTPs mapped to MITRE ATT&CK. Initial Access: They breach networks via exposed services and credential abuse. Early on, Play exploited unpatched FortiGate VPN bugs (CVE-2018–13379, CVE-2020–12812) and Microsoft Exchange flaws (ProxyNotShell CVE-2022–41040/41082) to gain entry. Stolen credentials and leaked RDP/VPN accounts (T1078, T1133) are also common entry points. In 2025, Play-linked affiliates began exploiting flaws in the SimpleHelp remote support tool (CVE-2024–57726, ‑57727, ‑57728) to drop malware. This includes path traversal in SimpleHelp (CVE-2024–57727) disclosed Jan 2025, which allowed command execution on victim networks.
After gaining a foothold, Play actors conduct stealthy network discovery and evasion. They use AD reconnaissance tools like AdFind and BloodHound, custom info-stealers like Grixba, and routine commodity scanners to map networks. Security software is disabled using built-in tools (GMER, PowerTool, IOBit) or removed altogether, and logs are cleared to hinder forensics. Play has been observed running PowerShell scripts to target Windows Defender as part of defense evasion.
For lateral movement, operators deploy Cobalt Strike beacons and SystemBC RAT for C2, then pivot via techniques like PsExec and WMI. Once inside, they steal credentials (often using Mimikatz) and escalate to domain admins. Group Policy Objects or scheduled tasks are often used to push malware across multiple hosts systematically. Throughout this stage, Play’s payload execution is heavily obfuscated: each build of the ransomware is recompiled per attack (unique hash) to evade signature detection.
Once ready to strike, Play exfiltrates data then encrypts. Data exfiltration tools include WinRAR archives and WinSCP SFTP transfers. The ransomware encryption routine is notable for using an intermittent encryption scheme: it encrypts blocks of each file (e.g. every 0x100000 bytes) rather than the whole file. This speeds up the process and helps evade heuristic detectors. Core user files (documents, databases, images) are encrypted with AES-256 and RSA-2048; system-critical files are deliberately skipped so victims can still boot and negotiate. Encrypted files are suffixed with “.PLAY,” and a ReadMe.txt ransom note is placed (typically in the C:\Users\Public\Music folder).
The impact is classic double-extortion. Play steals sensitive data and then encrypts systems, demanding payment for both file decryption and non-release of stolen data. The ransom note contains no fixed price; instead, victims must email the attackers at a unique GMX or web.de address provided in the note. Victims see their company’s name and stolen data claims on Play’s Tor-based leak site (“Play News”) with countdown timers. To pressure victims further, Play operators call targets by phone, often contacting random staff (customer service, help desks) and threatening public data release if payment isn’t made. This combination of intermittent encryption, personalized email contacts, and aggressive outreach is a hallmark of Play’s extortion model.
Victimology and Sector Impacts
By mid-2025 Play had infected roughly 900 organizations globally. Victims span industries and countries: Latin America and Brazil were initial hotbeds, but recent months saw many US and European breaches. The healthcare sector, while often hard-hit by ransomware, has seen relatively few Play incidents (only about nine by late 2024). However, any breach in healthcare poses massive HIPAA/PII risk – even Play’s few health targets reinforce the need for vigilance.
In financial services, Play attackers seek customer PII, financial records, and trade secrets. For instance, one attack on Europe’s largest car retailer, Arnold Clark, resulted in theft of customer IDs, bank details, and vehicle records. Financial firms should be alert for any unusual RDP/VPN access and protect customer data meticulously.
The education sector is also on Play’s radar. Universities and schools (often underfunded IT) are attractive due to sensitive student/faculty data and limited IR readiness. Play’s focus on large entities means major universities or school districts could be potential victims. Similarly, manufacturing (factories, automakers, semiconductor plants) is targeted: for example, Microchip Technology (a U.S. semiconductor supplier) was compromised in 2024. Production downtime or IP theft in manufacturing can be crippling, so plant networks must be isolated and monitored closely.
In logistics and transportation, Play has actively struck critical infrastructure. Dutch port/shipping operator Royal Dirkzwager’s data servers were breached (data on ship movements/contracts stolen). Attacks on logistics firms can disrupt supply chains; Play’s hit on Dirkzwager highlights that transportation companies are high-value targets for cybercriminals. Other sectors affected include government (e.g. City of Oakland, Dallas County in the U.S., and the Belgian city of Antwerp) and real estate (customer personal data). In each sector, Play’s rapid lateral spread and double-extortion model have forced months of recovery and ransom decisions.
Known Exploited Vulnerabilities
Play affiliates heavily rely on exploiting “old and known” vulnerabilities in internet-facing systems. Critical flaws include the Fortinet VPN bugs (CVE-2018–13379 and CVE-2020–12812) and Microsoft Exchange ProxyNotShell holes (CVE-2022–41040, CVE-2022–41082). In early 2025, attackers leveraged high-priority SimpleHelp RMM vulnerabilities (CVE-2024–57726/727/728) to deploy malware via remote-support tools. Very recently, Symantec observed Play’s alias “Balloonfly” exploiting a Windows zero-day (CLFS driver, CVE-2025–29824) for privilege escalation in a U.S. breach. All these cases underline that Play thrives on unpatched software. Legacy RDP and VPN services remain prime entry points if exposed. Any organization using affected FortiOS firmware, on-prem Exchange, SimpleHelp, or vulnerable Windows builds should patch immediately.
Adaptations: Intermittent Encryption and Negotiation
Play’s intermittent encryption and negotiation style deserve emphasis. Unlike typical ransomware that encrypts every byte, Play encrypts select portions of each file (e.g. 1MB chunks), combining them with plaintext chunks. This stealthier “partial” scheme evades many scanning defenses. Play is one of the few groups known to use this tactic (others include Nokoyawa). At decryption time, however, even partially encrypted files often suffice to render data unusable without keys.
On the negotiation front, Play eschews a Tor/website portal. Each victim is given a unique email (often via GMX or web.de) to contact the attackers, rather than a uniform Tor page. This implies a tight control over communications. The gang even manages multiple burner email threads in parallel. Pressure tactics include not only the leak site public shaming but also live phone calls to victims. Moreover, Play pledges “complete secrecy” for paying victims; those who refuse see all stolen data leaked and their breach details posted on Play’s Tor blog. (In one analysis, Play’s demand amounts weren’t in the note – negotiations happen in these email/chat threads.) This strategy of targeted negotiation and psychological pressure is a distinguishing aspect of Play’s brand of ransomware.
Connections to Nation-State Actors
While Play is financially motivated, intelligence reports indicate blurred lines with nation-state actors. In late 2024, Palo Alto Unit42 revealed that North Korean APT Jumpy Pisces (Reconnaissance General Bureau) collaborated on a Play attack. In that incident, Jumpy Pisces gained access (via a compromised account) in May 2024, spent months of espionage (using DTrack infostealer, Sliver C2, custom Mimikatz), and then handed off the access to Play operators who delivered ransomware. This was the first known case of the NK group using third-party ransomware infrastructure, suggesting they acted as an initial-access broker. Microsoft and Recorded Future warn that this “nexus” of state-backed hackers and criminal gangs may become more common.
Earlier analyses noted technical similarities between Play and Russian gangs: the file I/O behavior and use of GKMs echoed Conti/Hive tactics. Play’s own statements claim it is not a true RaaS (ransomware-as-service) platform, implying a core group (possibly in Eastern Europe) that vets partners rather than an open affiliate program. Nonetheless, Play’s tools (e.g. intermittent encryption, file-splitting) and target selection overlap significantly with Russian-linked operations. It remains unclear if Play is directly controlled by a nation or simply run by highly skilled cybercriminals with connections to state hackers. The advisory from FBI/CISA does not formally tie Play to any country, but security firms advise treating Play attacks with the same urgency as nation-state threats.
To mitigate such sophisticated attacks, experts emphasize “defense-in-depth.” Simple air-gaps and DMZ’s are no longer enough; networks should be segmented so that a breach of one segment (e.g. finance servers) cannot freely spread to others. This includes using VLANs or microsegmentation (see illustrative diagram above) to isolate critical assets. Access controls and least-privilege policies limit the damage if credentials are stolen. In practice, organizations should act as if every machine could be compromised – only minimal trust and strong monitoring between subnets can contain a fast-moving threat like Play.
Mitigation and Defensive Blueprint
The FBI/CISA/ASD advisory lays out comprehensive mitigations against Play-style attacks. Key recommendations include patching all software and firmware promptly — especially the known exploited CVEs — and updating Microsoft Exchange or disabling OWA if patching is delayed. Multi-factor authentication (MFA) must be enabled everywhere possible (webmail, VPN, critical admin accounts) to neutralize stolen credentials. Regular vulnerability scanning and rapid patch rollout for internet-facing systems are stressed as “efficient and cost-effective” defenses.
Other controls: maintain up-to-date antivirus/EDR (and protect the agents themselves), filter inbound traffic to disallow unknown access to remote services, and audit admin privileges regularly. Crucially, organizations need offline backups of all critical data. These backups must be encrypted and immutable to prevent tampering. A formal recovery plan (testing restore processes) is also mandated. In short, assume compromise: then design your environment to limit lateral moves and rapidly recover if ransomware strikes.
Beyond these, defenders should exercise and validate their security posture against Play’s TTPs. The advisory even suggests using the MITRE ATT&CK framework to test controls (e.g. simulate AdFind or Mimikatz to see if SIEM/EDR catches it). Incident response teams should have playbooks in place for this scenario, including legal and public communications steps given the potential leak. Ongoing threat intelligence sharing (e.g. through CISA’s STOPRansomware portal or infra-specific ISACs) ensures new IOCs or cheat codes – like emergent SimpleHelp or Windows zero-day indicators – are disseminated quickly.
Summary of Best Practices
In summary, preventing or mitigating Play ransomware involves:
- Strict Patch Management: Quickly apply fixes for Exchange, Fortinet, VPN, RMM tools, and Windows. Treat any unpatched asset as a severe risk.
- Strong Access Controls: Enforce MFA on all accounts (especially remote access), rotate credentials, and restrict privileged privileges and local admin rights.
- Network Segmentation: Architect your network to isolate critical systems. Use firewalls and internal ACLs so an intruder in one subnet cannot freely roam.
- Endpoint Hardening: Deploy updated EDR/antivirus with tamper protection. Proactively hunt for common post-exploit behaviors (suspicious processes, abnormal system utility usage).
- Data Security: Maintain encrypted, offline backups of all data. Follow the 3–2–1 rule (3 copies, 2 media, 1 offsite). Validate restores regularly.
- User Training & IR: Educate staff on phishing, social engineering, and unusual login alerts. Maintain a tested incident response plan (playbooks, roles, communication).
By integrating these defenses, an organization significantly increases its resilience. Even if attackers gain initial access, segmented networks and rapid response can thwart the fast-moving Play attack chain.
About COE Security
COE Security is dedicated to protecting organizations from the most advanced cyber threats. Our mission is to deliver tailored security services and managed solutions that keep our clients resilient, compliant, and prepared for emerging attacks. We combine deep technical expertise with proactive intelligence to safeguard critical infrastructure and data.
- Healthcare: MDR services, HIPAA compliance support, incident response retainer, secure patch management, patient-data encryption, phishing awareness training.
- Finance: 24/7 threat monitoring, regulatory compliance (PCI/Dodd-Frank), secure backup solutions, risk assessments, vulnerability management, MFA implementation.
- Education: Endpoint protection for campuses, DDoS mitigation, rapid incident response (IR) planning, multi-layered authentication, data recovery solutions, staff training.
- Logistics/Transportation: Network segmentation audits, OT/ICS security consulting, compliance support (ISO/IEC standards), disaster recovery planning, supply-chain risk management.
- Government: Managed Detection and Response (MDR) for public agencies, cyber-risk assessments, secure cloud/adoption guidance, regulatory and grant compliance, continuity planning.
- Manufacturing: OT security monitoring, ICS firewalls, patch orchestration, IR table-top exercises, intellectual property protection, network hardening reviews.
Each sector benefits from our MDR platform, IR retainers, proactive risk assessments, patch validation services, secure backup implementations, compliance guidance, and cyber hygiene trainings. By partnering with COE Security, organizations build a robust defense-in-depth posture suited to their industry’s specific threats.
For the latest insights and updates on ransomware and cyber defense, follow COE Security on LinkedIn.