Play Ransomware Group

Actor Type Criminal Group

The Play Ransomware group, also known as PlayCrypt, is a criminal collective responsible for ransomware attacks on companies and governmental institutions. According to reporting, Play is a 'closed group' in order to "guarantee the secrecy of deals" as opposed to the more open 'ransomware-as-a-service' offerings which use affiliates for larger scale deployment.

The group emerged in 2022 and has targeted victims in multiple countries, including the United States, Brazil, Argentina, Germany, Belgium, and Switzerland. Linked attacks employ the 'double extortion' ransomware approach: encrypting systems after stealing sensitive data, followed by demanding ransom payments to decrypt files and prevent public leaks of the stolen information.

The name 'Play' comes from the '.play' file extension that the group uses to encrypt victims' data. After encryption, they leave a message containing the word 'PLAY' and an email address.

Particularly notable victims include the Argentine judiciary and a Swiss newspaper.

Cyber Threat Graph Context

Explore how this Intrusion Set relates to the wider threat graph

Play Ransomware Group Threat Reports

Report

#StopRansomware: Play Ransomware

This is a Cybersecurity Advisory from CISA with US and international partners which outlines TTPs (tactics, techniques and procedures) and IoCs ...

References

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use by this intrusion set.