Cyber Threat Actor: Play
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
43 incidents |
|---|
Profile
The threat actor known as the PLAY gang, also tracked as Play or PlayCrypt, is a ransomware operation that first appeared in July 2022 when Trend Micro reported its initial focus on government entities in Latin America. The group is associated with the Russian cybercrime landscape, as its location has been identified as Russia, though no public attribution to state sponsorship has been made. It operates under a ransomware‑as‑a‑service model, although its internal structure shows variations from a typical affiliate setup. The actor’s primary motive is financial gain, achieved through the encryption of victim systems coupled with the theft of sensitive data that is subsequently threatened with public release unless a ransom is paid.
Targeting patterns observed in open‑source reporting show a broad sectoral and geographic reach. Early activity concentrated on Latin American government bodies, but the group later expanded to include municipal administrations in the United States—such as the cities of Oakland and Lowell—and European municipalities like the French Rugby Federation and the German hotel chain H‑Hotels. Healthcare organizations have been hit, including hospitals in Germany and France, while the financial sector has seen victims such as the Spanish bank Globalcaja and the Swiss media conglomerate NZZ. The shipping industry was exemplified by the attack on Royal Dirkzwager, and the hospitality sector by H‑Hotels. Media outlets such as NZZ and CH Media have also been listed as victims, and Caribbean investment firms like Mayberry Investments have appeared in leak site notices. These incidents demonstrate a pattern of targeting entities that hold valuable personal, financial, or operational data across multiple continents.
The group’s tactics, techniques and procedures are repeatedly described in the sources. Initial access is often gained through the ProxyNotShell vulnerability in Microsoft Exchange, a zero‑day exploit used to achieve remote code execution. After gaining a foothold, the attackers deploy Cobalt Strike for post‑exploitation activities and employ the SystemBC remote access trojan to maintain persistence within the victim network. Prior to encryption, they exfiltrate data, which they threaten to leak via a dedicated data leak site; the ransomware appends the “.Play” extension to encrypted files and drops a simple ReadMe.txt note containing the word “PLAY” and a contact email. This double‑extortion approach—combining file encryption with the threat of data publication—is a hallmark of their operations, and they have been observed publishing stolen data on leak sites when ransom demands are not met.
Attribution to a specific nation‑state is not publicly asserted; the actor is described as a Russian‑based cybercriminal gang. Representative operations that illustrate their evolution include the early Latin American government targets cited by Trend Micro, the high‑profile ransomware attack on the City of Oakland that generated multiple gigabytes of leaked data, the subsequent strike on the City of Lowell, Massachusetts, which disrupted municipal services, and the encryption of systems at Globalcaja that prompted the bank to isolate affected workstations while keeping core banking functions online. Other notable incidents involve the ransomware‑related outage at H‑Hotels, the data leak threatened against NZZ and CH Media, and the disruption of Royal Dirkzwager’s maritime logistics operations. These examples illustrate the group’s shift from an initial regional focus to a broader, financially motivated campaign that leverages data theft as leverage for extortion.
