— Play¶
Threat-actor battle card · maintained from public sources · last updated 2026-06-23 · also known as PlayCrypt
Overview¶
Play (also known as PlayCrypt) is a financially motivated ransomware group active since June 2022. The FBI and CISA documented approximately 900 confirmed victims by May 2025, spanning North America, South America, and Europe. The group has consistently ranked in the global top-10 and directs roughly 85% of its attacks against US organisations. It operates a double-extortion model — exfiltrating data before encrypting, then threatening publication on a Tor-hosted leak site — but with an unusual ransom-note design: no demand or payment details are included; victims are instructed to contact the group via email only. No RaaS affiliate programme has been confirmed; Play appears to operate as a closed crew. A joint CISA/FBI/ASD ACSC advisory (AA23-352A) was issued December 2023 and updated June 2025.
Tradecraft¶
- Initial access: Exploits VPN appliance vulnerabilities — primarily FortiOS and Ivanti Connect Secure flaws — as well as valid credentials and exposed RDP. Optimised for speed against SMBs (<250 employees), achieving full domain compromise in hours.
- Recon: Grixba (custom Play-built info-stealer) to enumerate network and credential data; AdFind for Active Directory queries; BloodHound for AD attack-path mapping. Group identifies misconfigured GPOs, weak service accounts, and Kerberoastable accounts rapidly.
- Defence evasion: GMER, IOBit, PowerTool to delete logs and disable security products; PowerShell to disable Microsoft Defender. Each ransomware binary is recompiled per attack with a unique hash to bypass signature-based detection.
- Lateral movement: PsExec for remote execution across the network.
- Credential access: Mimikatz for domain administrator credential theft.
- Encryption: Appends .PLAY extension; Windows and ESXi/VMware variants both operational.
- Extortion channel: Victims receive ransom note with an @gmx.de or @web.de email contact only. On deadline expiry, data is published to the group's Tor-hosted DLS.
Notable recent victims¶
- MyPillow (US, manufacturing/retail) — DLS, June 2026
- Pearson Ford (US, auto dealership) — DLS, June 2026; attack est. May 2026
- Corley Manufacturing (US, manufacturing) — DLS, June 2026
- Dallis Law Firm (US, legal/professional services) — DLS, June 2026
Assessment¶
Play targets mid-market and SMB organisations where patching velocity and incident-response capacity are lowest. The per-attack binary recompilation defeats static AV, while aggressive FortiOS/Ivanti VPN exploitation and BloodHound-accelerated AD takeover compress time-to-encryption to hours. The absence of an affiliate structure means law-enforcement action against infrastructure has less operational disruption than RaaS takedowns (no affiliate network to flip). The June 2025 advisory update suggests TTPs continue to evolve. Priority defences: patch VPN appliances (FortiOS, Ivanti) on an emergency cycle; restrict or segment RDP; audit AD for Kerberoastable accounts, weak service passwords, and misconfigured GPOs; verify backup integrity and offline copy availability.
Sources¶
- CISA #StopRansomware: Play Ransomware (AA23-352A, Dec 2023)
- CISA/FBI/ASD Updated Play Advisory, June 2025
- FBI StopRansomware Play Advisory (IC3 PDF, Jun 2025)
- HIPAA Journal — Updated Play Advisory: Victim Count Reaches 900
- Cybersecurity Dive — FBI/CISA warn Play targeting critical infrastructure
- SOCRadar — Dark Web Profile: Play Ransomware
- Huntress — Play Threat Actor Profile
🗂️ Attacks & victims¶
All disclosed victims attributed to this actor, newest first.
June 2026