Group Overview
Play ransomware (also tracked as PlayCrypt) emerged in June 2022 and has operated continuously since, maintaining a steady tempo of attacks against organisations in North America, Europe, Latin America, and Australia. Unlike many ransomware operations that adopt a full Ransomware-as-a-Service model, Play operated for much of its history as a more closed group — limiting affiliate access and maintaining tighter operational security than commodity RaaS platforms.
The group operates a double-extortion model: encrypting victim data and threatening to publish exfiltrated files on their leak site if ransom demands are not met. Their leak site has listed over 500 victims since inception, with victim counts accelerating through 2025 and into 2026.
Play has demonstrated particular targeting preference for:
- State and local government agencies
- Healthcare organisations and hospital systems
- Professional services firms (legal, accounting, consulting)
- Manufacturing and logistics
- Managed Service Providers (as a vector for downstream victims)
Initial Access Methods
Play actors have demonstrated consistent use of a small set of high-value exploitation paths, typically targeting internet-facing infrastructure rather than relying on phishing as a primary entry point.
Fortinet FortiOS Vulnerabilities
Play has repeatedly exploited vulnerabilities in Fortinet products for initial access. They were among the first groups observed exploiting CVE-2022-41082 (ProxyNotShell in Microsoft Exchange) and have a documented history of leveraging FortiOS authentication bypass vulnerabilities including CVE-2022-40684, which allowed unauthenticated API access to FortiGate and FortiManager systems.
CISA and FBI issued a joint advisory (AA23-352A) in December 2023 specifically attributing Play ransomware actors to sustained exploitation of Fortinet vulnerabilities as a primary initial access vector.
Microsoft Exchange (ProxyNotShell, OWASSRF)
Beyond FortiOS, Play actors exploited the ProxyNotShell vulnerability chain (CVE-2022-41082 and CVE-2022-41040) within weeks of public disclosure in late 2022. When Microsoft released mitigations, Play adapted to the OWASSRF variant (CVE-2022-41080), demonstrating active vulnerability research capability rather than simple exploitation of public proof-of-concept code.
Valid Credentials and VPN Access
Play actors also use purchased or stolen VPN credentials — consistent with the broader ransomware ecosystem’s reliance on Initial Access Brokers (IABs). This gives them a foothold without direct exploitation and allows them to blend initial activity with legitimate remote access patterns.
Post-Compromise Tactics and Tools
Play’s post-compromise behaviour is well-documented from incident response engagements and corroborated across multiple security vendor reports.
Persistence and Privilege Escalation
After obtaining initial access, Play actors move quickly to establish persistence and escalate privileges:
- WinPEAS / PEAS suite for automated privilege escalation enumeration on Windows
- Mimikatz and Cobalt Strike for credential harvesting from LSASS and lateral movement
- BloodHound/SharpHound for Active Directory reconnaissance — mapping paths to Domain Admin
- SystemBC as a proxy and persistence mechanism, particularly for maintaining C2 communication through compromised environments with outbound filtering
Defense Evasion
Play actors consistently attempt to impair defenses before proceeding with encryption:
- Stopping and disabling Windows Defender and other AV/EDR processes via
net stopand service manipulation - Deleting Volume Shadow Copies using
vssadmin delete shadows /all /quietto prevent recovery without paying ransom - Using
ProcessHackerandGMERfor EDR evasion and rootkit-level visibility into security tooling - Staging activity in
C:\Windows\Temp\and other high-noise directories
Data Exfiltration
Play uses WinSCP and WinRAR extensively for staging and exfiltration — compressing target data before transfer to attacker-controlled infrastructure. Sensitive data is typically archived in chunks to avoid detection by volume-based DLP rules. Target data categories typically include customer PII, financial records, legal documents, and in government targets: law enforcement databases and personally identifiable information of public employees.
Encryption
Play’s encryptor appends the .play extension to encrypted files and drops a ReadMe.txt ransom note. The encryptor targets both Windows and VMware ESXi environments — the Linux variant specifically identifies and terminates VMs before encrypting VMDK files, maximising disruption.
Extortion Model and Negotiation Behaviour
Play does not publish ransom demand amounts publicly — a deliberate operational choice that limits price anchoring. Initial demands are communicated exclusively through their Tor-based negotiation portal. Victims are directed to contact the group within a specified timeframe, with file publication beginning if no contact is made.
The group has publicly posted victim data from government agencies and healthcare organisations, including data from the City of Oakland (2023) and Rackspace (where Play was one of several actors in that period). The willingness to publish public sector data — including sensitive law enforcement files — signals that Play actors are not deterred by targets that might generate law enforcement attention.
Ransom demands vary widely by victim size. Intelligence from public sources and law enforcement advisories indicates demands ranging from tens of thousands of dollars for smaller organisations to multi-million dollar demands for large enterprises and government agencies.
2026 Campaign Observations
Activity through the first half of 2026 indicates Play has maintained operational tempo comparable to 2025:
Expanded geographic targeting: Play has increased victim listings from Latin American targets through 2025-2026, particularly in Brazil and Mexico, consistent with broader ransomware ecosystem geographic diversification as North American and European defenses improve.
Continued ESXi focus: The ESXi encryptor variant has been updated, and post-incident analysis from Q1 2026 intrusions shows Play actors spending more time mapping backup infrastructure before deploying encryption — specifically targeting Veeam backup servers and their associated repositories as a precondition for ransomware deployment.
MSP targeting for downstream access: Several 2026 Play intrusions have involved compromise of managed service providers, with the initial MSP network used as a staging point for attacks against their downstream clients. This multiplier effect — one intrusion yielding access to multiple victim organisations — is consistent with other groups (Cl0p, RansomHub) adopting similar strategies.
Detection Opportunities
Key indicators of Play intrusion activity to monitor:
vssadmin delete shadows /allexecution — consistent across almost all Play incidents- SystemBC traffic: SOCKS5 proxy communications to hardcoded C2 IPs, typically TCP ports 4000-5000
- WinSCP and WinRAR executions from unusual user contexts or service accounts
- BloodHound SharpHound execution:
SharpHound.exeorbloodhound.exeprocess creation .playextension appended to files — terminal indicator, encryption already underway- Ransom note filename:
ReadMe.txtplaced in every encrypted directory
MITRE ATT&CK techniques associated with Play campaigns include T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1003.001 (LSASS Memory), T1489 (Service Stop), T1490 (Inhibit System Recovery), and T1486 (Data Encrypted for Impact).
Mitigation Priorities
Organisations in Play’s targeting sectors should prioritise:
- Patch internet-facing infrastructure immediately — particularly Fortinet products and Microsoft Exchange
- Implement phishing-resistant MFA on VPN, RDP, and all remote access
- Offline, immutable backups that cannot be reached from the primary Windows domain
- Monitor for Volume Shadow Copy deletion — it is a high-confidence pre-ransomware indicator
- Network segmentation to limit lateral movement from internet-facing systems to production and backup infrastructure