Menu
Browse

Cyber Threat Actor: Play

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
United States of America
2 incidents
Profile

The threat actor known as PlayRansomware Gang, also referenced simply as Play, is publicly identified by its use of the Play ransomware family and is associated with operations originating from the United States. Open‑source reporting describes the group as a ransomware‑focused actor that has claimed responsibility for incidents affecting U.S.‑based organizations. The actor’s name appears in security advisories and news coverage that link it to both ransomware deployment and the exploitation of a zero‑day vulnerability in Microsoft Exchange services.

The actor has been observed targeting public transportation agencies and hosted email providers within the United States. In one incident, the group claimed responsibility for a network disruption at a regional transit company, affecting certain applications and network segments before the operator restored service and engaged third‑party specialists to investigate the scope. In a separate case, the actor exploited the previously unknown vulnerability CVE‑2022‑41080 to gain access to Rackspace’s Hosted Exchange environment, an action described in public reports as financially motivated. The exploitation allowed the actor to access personal storage tables of a limited number of customers without evidence of data exfiltration or lateral movement beyond the targeted service, and forensic analysis confirmed no misuse of the accessed data.

These two events represent the actor’s most publicly documented operations: the transit disruption that prompted a temporary service impact and the Rackspace Exchange compromise that led to the discontinuation of the hosted offering and a migration to Microsoft 365. Both incidents were investigated by the victims’ internal teams and third‑party specialists, with the transit operator declining to confirm ransomware specifics or potential data theft and the Rackspace case concluding with extensive data recovery for affected customers, fewer than 5 % of whom downloaded their available mailboxes. The actor’s activity illustrates a pattern of exploiting software weaknesses and deploying ransomware to cause operational disruption while avoiding broader network spread.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
0 sources