Play Ransomware Group
| Actor Type | Criminal Group |
|---|
The Play Ransomware group, also known as PlayCrypt, is a criminal collective responsible for ransomware attacks on companies and governmental institutions. According to reporting, Play is a 'closed group' in order to "guarantee the secrecy of deals" as opposed to the more open 'ransomware-as-a-service' offerings which use affiliates for larger scale deployment.
The group emerged in 2022 and has targeted victims in multiple countries, including the United States, Brazil, Argentina, Germany, Belgium, and Switzerland. Linked attacks employ the 'double extortion' ransomware approach: encrypting systems after stealing sensitive data, followed by demanding ransom payments to decrypt files and prevent public leaks of the stolen information.
The name 'Play' comes from the '.play' file extension that the group uses to encrypt victims' data. After encryption, they leave a message containing the word 'PLAY' and an email address.
Particularly notable victims include the Argentine judiciary and a Swiss newspaper.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Play Ransomware Group Threat Reports
#StopRansomware: Play Ransomware
This is a Cybersecurity Advisory from CISA with US and international partners which outlines TTPs (tactics, techniques and procedures) and IoCs ...
References
en.wikipedia.org
https://en.wikipedia.org/wiki/Play_%28hacker_group%29www.trendmicro.com
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-playsecurityboulevard.com
https://securityboulevard.com/2023/12/emerging-threat-what-to-know-about-the-play-ransomware-group/www.cisa.gov
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352aMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1657 | Financial Theft | Impact |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1003 | OS Credential Dumping | Credential Access |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1486 | Data Encrypted for Impact | Impact |
| T1560.001 | Archive via Utility | Collection |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1484.001 | Group Policy Modification | Defense Evasion, Privilege Escalation |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1518.001 | Security Software Discovery | Discovery |
| T1552 | Unsecured Credentials | Credential Access |
| T1016 | System Network Configuration Discovery | Discovery |