Cyber Threat Actor: Play

The Play ransomware group, also tracked as PLAY gang, Play, Play Ransomware Group, PlayCrypt and Play Ransomware, is a financially motivated cybercriminal operation that has been linked to Russia in open‑source reporting. The gang first appeared in mid‑2022 and quickly adopted a double‑extortion model, encrypting victims’ files while threatening to publish stolen data unless a ransom is paid. Their ransomware appends the “.PLAY” extension to encrypted files and drops a simple ReadMe.txt note containing the word “PLAY” and a contact email, a detail observed in attacks on Argentine judicial systems. The group functions as a ransomware‑as‑a‑service (RaaS) provider, though its affiliate structure shows variations from typical RaaS models, and it maintains a data leak site (DLS) where it posts victim data to pressure payment.

Play’s targeting spans multiple sectors and regions, reflecting an opportunistic rather than narrowly focused approach. Incidents have hit manufacturing firms such as Anchor Industries and Ganong Bros., transportation operators including RVBW and the Dutch shipping company Royal Dirkzwager, media organizations like NZZ and CH Media, financial institutions such as Mayberry Investments in the Caribbean and Globalcaja in Spain, hospitality chains including H‑Hotels in the DACH region, IT service providers exemplified by Unico Data AG and Rackspace, government bodies ranging from U.S. cities like Lowell and Oakland to the Argentine Judiciary of Córdoba, and even healthcare providers affected indirectly through managed‑service breaches. The gang has also claimed attacks on Latin American government entities, as noted in Trend Micro reporting. Their strategic objective is explicitly financial gain, achieved through ransom demands and the threat of leaking confidential, personal and corporate data obtained during intrusions.

Observed tactics, techniques and procedures include the use of the PlayCrypt malware family, deployment of Cobalt Strike for post‑exploitation activity and SystemBC RAT for persistence, and exploitation of the ProxyNotShell vulnerability (CVE‑2022‑41080) to gain initial access to Microsoft Exchange environments, as demonstrated in the Rackspace incident. The gang leverages known exploit chains and has shown methodological similarities to the now‑defunct Hive and Nokoyawa ransomware operations. They routinely employ phishing or credential‑theft precursors, though specific vectors vary by victim. Publicly reported operations illustrate their impact: the April 2023 attack on Lowell, Massachusetts disrupted city telephone and online services while threatening data release; the May 2023 ransomware strike on Globalcaja encrypted local office systems but left transactional platforms intact; the March 2023 breach of NZZ resulted in the darknet publication of roughly 500 GB of internal data, including employee records; the August 2022 assault on Argentina’s Judiciary of Córdoba used the characteristic .PLAY extension to encrypt files and shut down IT systems; and the December 2022 H‑Hotels incident saw the gang claim access to client documents, passports and internal communications. These examples underscore Play’s reliance on encryption coupled with data‑theft extortion to monetize access across diverse industries.