← threatfilter.dev / all groups / Play
Play
Overview
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
TTPs — 26 techniques across 13 tactics
Initial Access
Execution
-
T1059.001PowerShell -
T1059.003Windows Command Shell
Persistence
-
T1133External Remote Services
Stealth
-
T1027.010Command Obfuscation -
T1070.004File Deletion -
T1078Valid Accounts -
T1078.002Domain Accounts -
T1078.003Local Accounts
Defense Impairment
-
T1685Disable or Modify Tools -
T1685.005Clear Windows Event Logs
Credential Access
-
T1003.001LSASS Memory
Discovery
-
T1016System Network Configuration Discovery -
T1018Remote System Discovery -
T1057Process Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1518.001Security Software Discovery
Lateral Movement
-
T1021.002SMB/Windows Admin Shares
Collection
-
T1560.001Archive via Utility
Command and Control
-
T1105Ingress Tool Transfer
Exfiltration
Impact
-
T1657Financial Theft
Tools & malware (9)
Nltest · AdFind · PsExec · Empire · Wevtutil · Cobalt Strike · Playcrypt · BloodHound · Mimikatz
Reporting (2)
- #StopRansomware: Play Ransomware AA23-352A — CISA
- Ransomware Spotlight: Play — Trend Micro Research