LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile

Play Ransomware: Group Profile, TTPs, and 2026 Campaign Activity

Play ransomware has maintained consistent activity since 2022, targeting government, healthcare, and professional services. This profile covers the group's technical capabilities, initial access methods, extortion model, and recent campaign observations through mid-2026.

By Ransomware Tracker ·
PlayransomwareRaaSdouble-extortiongovernmenthealthcareprofessional-servicesFortiOSMicrosoft-ExchangeTTPs
Threat Level
8/10

Group Overview

Play ransomware (also tracked as PlayCrypt) emerged in June 2022 and has operated continuously since, maintaining a steady tempo of attacks against organisations in North America, Europe, Latin America, and Australia. Unlike many ransomware operations that adopt a full Ransomware-as-a-Service model, Play operated for much of its history as a more closed group — limiting affiliate access and maintaining tighter operational security than commodity RaaS platforms.

The group operates a double-extortion model: encrypting victim data and threatening to publish exfiltrated files on their leak site if ransom demands are not met. Their leak site has listed over 500 victims since inception, with victim counts accelerating through 2025 and into 2026.

Play has demonstrated particular targeting preference for:

  • State and local government agencies
  • Healthcare organisations and hospital systems
  • Professional services firms (legal, accounting, consulting)
  • Manufacturing and logistics
  • Managed Service Providers (as a vector for downstream victims)

Initial Access Methods

Play actors have demonstrated consistent use of a small set of high-value exploitation paths, typically targeting internet-facing infrastructure rather than relying on phishing as a primary entry point.

Fortinet FortiOS Vulnerabilities

Play has repeatedly exploited vulnerabilities in Fortinet products for initial access. They were among the first groups observed exploiting CVE-2022-41082 (ProxyNotShell in Microsoft Exchange) and have a documented history of leveraging FortiOS authentication bypass vulnerabilities including CVE-2022-40684, which allowed unauthenticated API access to FortiGate and FortiManager systems.

CISA and FBI issued a joint advisory (AA23-352A) in December 2023 specifically attributing Play ransomware actors to sustained exploitation of Fortinet vulnerabilities as a primary initial access vector.

Microsoft Exchange (ProxyNotShell, OWASSRF)

Beyond FortiOS, Play actors exploited the ProxyNotShell vulnerability chain (CVE-2022-41082 and CVE-2022-41040) within weeks of public disclosure in late 2022. When Microsoft released mitigations, Play adapted to the OWASSRF variant (CVE-2022-41080), demonstrating active vulnerability research capability rather than simple exploitation of public proof-of-concept code.

Valid Credentials and VPN Access

Play actors also use purchased or stolen VPN credentials — consistent with the broader ransomware ecosystem’s reliance on Initial Access Brokers (IABs). This gives them a foothold without direct exploitation and allows them to blend initial activity with legitimate remote access patterns.

Post-Compromise Tactics and Tools

Play’s post-compromise behaviour is well-documented from incident response engagements and corroborated across multiple security vendor reports.

Persistence and Privilege Escalation

After obtaining initial access, Play actors move quickly to establish persistence and escalate privileges:

  • WinPEAS / PEAS suite for automated privilege escalation enumeration on Windows
  • Mimikatz and Cobalt Strike for credential harvesting from LSASS and lateral movement
  • BloodHound/SharpHound for Active Directory reconnaissance — mapping paths to Domain Admin
  • SystemBC as a proxy and persistence mechanism, particularly for maintaining C2 communication through compromised environments with outbound filtering

Defense Evasion

Play actors consistently attempt to impair defenses before proceeding with encryption:

  • Stopping and disabling Windows Defender and other AV/EDR processes via net stop and service manipulation
  • Deleting Volume Shadow Copies using vssadmin delete shadows /all /quiet to prevent recovery without paying ransom
  • Using ProcessHacker and GMER for EDR evasion and rootkit-level visibility into security tooling
  • Staging activity in C:\Windows\Temp\ and other high-noise directories

Data Exfiltration

Play uses WinSCP and WinRAR extensively for staging and exfiltration — compressing target data before transfer to attacker-controlled infrastructure. Sensitive data is typically archived in chunks to avoid detection by volume-based DLP rules. Target data categories typically include customer PII, financial records, legal documents, and in government targets: law enforcement databases and personally identifiable information of public employees.

Encryption

Play’s encryptor appends the .play extension to encrypted files and drops a ReadMe.txt ransom note. The encryptor targets both Windows and VMware ESXi environments — the Linux variant specifically identifies and terminates VMs before encrypting VMDK files, maximising disruption.

Extortion Model and Negotiation Behaviour

Play does not publish ransom demand amounts publicly — a deliberate operational choice that limits price anchoring. Initial demands are communicated exclusively through their Tor-based negotiation portal. Victims are directed to contact the group within a specified timeframe, with file publication beginning if no contact is made.

The group has publicly posted victim data from government agencies and healthcare organisations, including data from the City of Oakland (2023) and Rackspace (where Play was one of several actors in that period). The willingness to publish public sector data — including sensitive law enforcement files — signals that Play actors are not deterred by targets that might generate law enforcement attention.

Ransom demands vary widely by victim size. Intelligence from public sources and law enforcement advisories indicates demands ranging from tens of thousands of dollars for smaller organisations to multi-million dollar demands for large enterprises and government agencies.

2026 Campaign Observations

Activity through the first half of 2026 indicates Play has maintained operational tempo comparable to 2025:

Expanded geographic targeting: Play has increased victim listings from Latin American targets through 2025-2026, particularly in Brazil and Mexico, consistent with broader ransomware ecosystem geographic diversification as North American and European defenses improve.

Continued ESXi focus: The ESXi encryptor variant has been updated, and post-incident analysis from Q1 2026 intrusions shows Play actors spending more time mapping backup infrastructure before deploying encryption — specifically targeting Veeam backup servers and their associated repositories as a precondition for ransomware deployment.

MSP targeting for downstream access: Several 2026 Play intrusions have involved compromise of managed service providers, with the initial MSP network used as a staging point for attacks against their downstream clients. This multiplier effect — one intrusion yielding access to multiple victim organisations — is consistent with other groups (Cl0p, RansomHub) adopting similar strategies.

Detection Opportunities

Key indicators of Play intrusion activity to monitor:

  • vssadmin delete shadows /all execution — consistent across almost all Play incidents
  • SystemBC traffic: SOCKS5 proxy communications to hardcoded C2 IPs, typically TCP ports 4000-5000
  • WinSCP and WinRAR executions from unusual user contexts or service accounts
  • BloodHound SharpHound execution: SharpHound.exe or bloodhound.exe process creation
  • .play extension appended to files — terminal indicator, encryption already underway
  • Ransom note filename: ReadMe.txt placed in every encrypted directory

MITRE ATT&CK techniques associated with Play campaigns include T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1003.001 (LSASS Memory), T1489 (Service Stop), T1490 (Inhibit System Recovery), and T1486 (Data Encrypted for Impact).

Mitigation Priorities

Organisations in Play’s targeting sectors should prioritise:

  1. Patch internet-facing infrastructure immediately — particularly Fortinet products and Microsoft Exchange
  2. Implement phishing-resistant MFA on VPN, RDP, and all remote access
  3. Offline, immutable backups that cannot be reached from the primary Windows domain
  4. Monitor for Volume Shadow Copy deletion — it is a high-confidence pre-ransomware indicator
  5. Network segmentation to limit lateral movement from internet-facing systems to production and backup infrastructure
// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting