Threat ActorPlay Ransomware
Description
Play, also known as Playcrypt, is a ransomware group that has posed a significant threat to a wide range of industries and regions since its emergence in mid-2022. “Play” refers both to the group that develops and distributes the ransomware and to the name of its encryptor. The encryptor, also known as Playcrypt, exists in multiple versions capable of targeting Windows, Linux, and ESXi systems. The ransomware group employs a double-extortion model, demanding a ransom for decrypting encrypted files and threatening to release exfiltrated data if payment is not made.
Play is known to have exploited a Windows vulnerability (CVE-2025-29824) as a zero-day. This vulnerability was later patched in the April 2025 Microsoft Patch Tuesday release.
Aliases
- Playcrypt
- Balloonfly
- Play ransomware group
Common Vulnerabilities and Exposures
Targeted Industries
- Business
- Construction
- Critical Infrastructure
- Government
- Healthcare
- IT
- Legal
- Manufacturing
- Media
- Professional Services
- Real Estate
- Retail
- Transportation
Objectives
Financial Gain
Known Tools Used
- AdFind
- BloodHound
- Cobalt Strike
- Custom VSS copying tool
- Empire
- GMER
- Grixba
- IOBit
- Mimikatz
- Nekto/PriviCMD
- Nltest
- Playcrypt
- Plink
- PowerTool
- Process Hacker
- PsExec
- SystemBC (Coroxy)
- Wevtutil
- WinPEAS
- WinRAR
- WinSCP
Known Infection Vectors
- Abusing exposed remote access services
- Exploiting vulnerable internet-facing services
- Leveraging unpatched systems and configuration weaknesses
- Using compromised valid credentials
References
#StopRansomware: Play Ransomware (CISA)
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
Play (MITRE)
https://attack.mitre.org/groups/G1040/
Playcrypt (MITRE)
https://attack.mitre.org/software/S1162/
Ransomware Roundup – Play (Fortinet)
https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware
