THREAT ACTOR

Play

8
THREAT LEVEL
EMERGENCE DATE
Jun 2022
CATEGORY
Selective Affiliate Model
AFFILIATIONS

Collaborated with APT 45, a North Korean state-sponsored group, in 2024 to incorporate new techniques

DEscription

Play Ransomware, also known as PlayCrypt, emerged in June 2022 initially operating as a closed group designed to guarantee operational secrecy. The ransomware quickly distinguished itself through intermittent encryption techniques that process only portions of files, reducing detection probability while accelerating attack execution. Having compromised numerous organizations globally as of May 2025, Play has evolved from its original closed structure to incorporate RaaS elements, enabling broader operational reach.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS)

Play operates through a hybrid model that evolved from its original closed structure. Evidence indicates incorporation of RaaS elements, allowing affiliates to utilize Play's tools and infrastructure while maintaining operational security protocols. This model enables Play to retain approximately 30% of ransom payments while affiliates receive 70%, creating sustainable economic incentives for continued operations.

Curent Status: Maintains consistent high-threat operations with reduced activity from peak levels. Threat intelligence positions Play above groups like Akira in terms of operational intensity and targeting aggressiveness.

Threat Level:
8

Origins and Methodology

Play Ransomware leverages technical innovation and operational efficiency to maintain prominence within the ransomware ecosystem. The group's methodology centers on rapid exploitation of vulnerabilities, particularly in FortiOS SSL VPNs, SonicWall appliances, and Microsoft Exchange servers, combined with living-off-the-land techniques that complicate detection efforts.

Binary recompilation for each deployment creates unique file hashes, preventing signature-based detection while intermittent encryption accelerates attack execution. These technical capabilities, paired with aggressive extortion tactics including phone harassment and personalized victim communications, establish Play as a persistent threat to global organizations.

What is the Evolution of Play Ransomware?
0.1
Formation

Emerging in June 2022, Play initially operated as a closed group focused on operational security. The ransomware's creators designed the infrastructure to support controlled operations while maintaining anonymity through strict operational protocols and limited affiliate participation.

0.2
EVOLUTION

Since its emergence, Play has consistently refined its tactics, leveraging new vulnerabilities and innovating its methods to outpace security defenses. Its intermittent encryption approach demonstrated a clear focus on speed and stealth, encrypting every other file portion of 0x100000 bytes to optimize performance while evading behavioral detection mechanisms. The group expanded its operations with a Linux variant specifically targeting VMware ESXi environments, recognizing enterprise reliance on virtualization infrastructure. This expansion coincided with an unprecedented partnership with APT 45, incorporating nation-state tactics such as credential harvesting and refined lateral movement techniques rarely seen in traditional ransomware operations.

0.3
Lineage/Connections

The transition to incorporating RaaS elements marks a significant operational shift, allowing controlled affiliate participation while maintaining stringent security protocols.

Which Unique Techniques Does Play Use?

The group combines traditional ransomware strategies with some innovations, ensuring its campaigns remain effective against even well-defended organizations. Its reliance on critical vulnerabilities and legitimate system tools enhances its stealth.

TECHNIQUE

DETAILS

Infection Vectors

Play leverages remote code execution (RCE) vulnerabilities like ProxyNotShell (CVE-2022-41040) and OWASSRF, as well as VPN authentication bypass flaws to achieve initial access. The group demonstrated zero-day exploitation capability via CVE-2025-29824.

Target Selection

Prioritizes high-value sectors including government, healthcare, IT services, and manufacturing. Targets organizations where disruption has significant impact or where cyber insurance and limited incident response capabilities increase ransom likelihood.

Operational Complexity

Uses advanced tooling such as Cobalt Strike, SystemBC RAT, and Grixba stealer. Employs intermittent encryption, custom PowerShell scripts, and recompiled binaries per deployment to avoid detection. Incorporates nation-state-level techniques via 2024 collaboration with APT 45.

Key Features & Technical Details

FEATURE

DETAILS

Encryption Method

Hybrid AES256 and RSA4096 encryption. Appends .PLAY extension. Uses vssadmin.exe to delete shadow copies and intermittent encryption of 0x100000 byte file chunks for stealth and speed.

File Extension

.PLAY

Ransom Note

Standardized ransom notes with unique victim identifiers

Double Extortion

Uses WinSCP, Grixba, and a VSS copier to extract data. Victim info posted on dark web site (DWS) with minimal details to avoid scrutiny.

Communication Channels

TOR-based negotiation portals with individualized victim email IDs

Deployment Speed

Automated scripts and LOLBins allow rapid deployment

Killswitch

No known killswitch

Payment Method

Ransom demanded in Bitcoin; demands range from hundreds of thousands to millions USD

Operational Model

Hybrid model (originally closed, now controlled RaaS with 70/30 affiliate split)

Activities

Play maintains consistent operational tempo, establishing itself as a persistent threat through strategic targeting and technical innovation. The group's campaigns focus on critical infrastructure disruption and supply chain targeting, maximizing operational impact across interconnected systems. Recent exploitation of CVE-2025-29824 showcased zero-day capabilities against Windows CLFS vulnerabilities, while the May 2025 SimpleHelp campaign involved mass exploitation of CVE-2024-57727 in RMM platforms.

Which Industries Are Most Vulnerable to Play?

Manufacturing organizations face disproportionate targeting due to just-in-time production models where operational disruption translates immediately to revenue loss. Healthcare and government sectors attract persistent attention through essential service dependencies and regulatory pressures that increase payment likelihood. Professional Services, particularly managed service providers, offer cascading access to multiple downstream targets through single compromises.

Financial Services and Information Technology organizations provide high-value data access worth substantial ransom demands. The group specifically targets organizations with limited incident response capabilities or confirmed cyber insurance coverage, exploiting operational weaknesses for maximum leverage.

HAL Most Recent Attacks

Modus Operandi

The group's modus operandi reflects its focus on stealth, precision, and efficiency. Each phase of its campaigns is meticulously planned, leveraging tools and techniques that maximize operational disruption while evading detection.

Their attacks are structured and deliberate, following a phased approach that leverages known vulnerabilities, stolen credentials, and specialized tools to infiltrate and compromise networks. These vulnerabilities provide initial access, while other tools are used for lateral movement, persistence, and data exfiltration.

Details

Exploits ProxyNotShell, OWASSRF, and Fortinet SSL VPN flaws including CVE-2018-13379, CVE-2020-12812, and Microsoft Exchange vulnerabilities CVE-2022-41040/41082. Abuses stolen credentials from dark web markets and leverages Initial Access Brokers for pre-compromised environments.

Recent campaigns exploit SimpleHelp RMM tools via CVE-2024-57727. External-facing services like RDP and VPN connections without MFA provide additional entry vectors through public-facing application exploitation.

Details

Deploys Grixba information stealer for comprehensive network reconnaissance alongside ADFind for Active Directory queries and BloodHound to map privilege escalation paths.

Utilizes PowerShell scripts and Windows Management Instrumentation (WMI) for system enumeration and identification of high-value targets. nltest identifies domain controllers while WMiC gathers detailed system and disk information for targeting decisions.

Details

Establishes control through SystemBC RAT deployment, creating SOCKS5 proxy connections for persistent access. Cobalt Strike beacons provide redundant command infrastructure. SystemBC functions as both malware and proxy tunnel on port 443, while RDP and VPN connections maintain alternative access channels.

Details

Disables defenses using custom PowerShell scripts targeting endpoint protection and specific tools including GMER, IOBit, PowerTool, and Process Hacker to neutralize AV/EDR solutions. Leverages LOLBins to blend malicious activity with legitimate system operations.

Binary recompilation ensures unique file hashes for each deployment. Modifies firewall rules through netsh commands while PowerShell scripts specifically target Microsoft Defender for complete security bypass. Utilizes WinPEAS, EscalatePC, Nskm and PrivCMD tools for privilege escalation through misconfiguration exploitation.

Details

Harvests credentials through Mimikatz deployment and LSASS memory dumping using ProcDump. Targets stored credentials in browsers and credential managers for expanded access. Performs Kerberoasting via tools like Rubeus for offline password cracking.

Searches for plaintext credentials in unsecured storage locations while specifically targeting service accounts and admin accounts to maximize privileged access across the environment. Mirokatz credential dumper facilitates domain admin access.

Details

Operates Tor-based infrastructure with watermark 206546002 for Cobalt Strike beacons. SystemBC provides encrypted SOCKS5 tunnels on port 443 for persistent communications. PsExec enables remote command execution across compromised systems.

Scheduled tasks ensure persistence and automated payload execution, with Group Policy Objects distributing executables enterprise-wide.

Details

Uses PsExec, SMB, and RDP for network traversal. SSH tunnels on non-standard ports provide alternative movement paths in Linux environments. Cobalt Strike facilitates automated lateral movement through built-in capabilities. Scheduled tasks propagate malware to new systems through automated deployment.

Group Policy Objects distribute malicious executables domain-wide through legitimate administrative channels.

Details

Extracts sensitive data with WinRAR, WinSCP, and custom tools like Grixba before encryption. VSS copier enables rapid extraction of critical files from shadow copies. Compresses data into .RAR format using WinRAR before transfer via WinSCP for secure file transfer.

Uses chunked exfiltration to avoid network detection thresholds while targeting intellectual property and business-critical data to maximize extortion leverage.

Details

Persistence mechanisms establish short-term persistence through registry modifications and scheduled tasks. Focuses on rapid execution rather than long-term persistence to minimize detection opportunities.

Cobalt Strike maintains persistent beacons through service creation and registry autostart entries, implementing just enough persistence to complete encryption operations.

Details

Encrypts files using hybrid AES/RSA encryption, leaving .PLAY extensions and ransom notes threatening public exposure. Targets critical business operations to maximize disruption and payment likelihood.

The combination of data encryption and exfiltration creates dual pressure points, while strategic targeting of operational technology ensures maximum business impact.

Details

Deploys intermittent encryption processing 0x100000 byte chunks using hybrid AES-256/RSA-4096 algorithms. Targets both local drives and network shares while avoiding system-critical directories. AES-RSA hybrid encryption with intermittent processing optimizes speed while ransomware binary recompilation for each deployment evades signature detection.

The ESXi variant specifically targets virtual environments with AES-256 encryption, powering down VMs before encryption to ensure complete data lock.

Details

Combines encryption with data theft threats on dark web site (DWS) platforms. Employs phone harassment and personalized communications to increase psychological pressure on decision-makers.

Details

Executes cmdpostfix.bat for evidence removal. Clears event logs using wevtutil and removes tool artifacts from C:\Users\Public\Music staging directory, systematically deleting attack tools to minimize forensic evidence available to incident responders.

Deploys ALPHAVSS to delete shadow copies and prevent recovery through native Windows mechanisms, targeting backup systems to ensure disruption.

Indicators of Compromise (IOCs)

INDICATOR

DETAILS

File Hashes

SHA256: Unique per deployment due to binary recompilation
Known hashes linked to ransomware binaries change with each campaign
Grixba information stealer components maintain consistent signatures

IP Addresses

45.91.201.247 (historical C2 infrastructure), 77.37.49.40 (backup command server)
Additional infrastructure rotates frequently

Domains/URLs

Tor-based portals for victim communications
Infrastructure domains change regularly to evade blocking

File Paths

C:\ProgramData\SkyPDF\PDUDrv.blf (CLFS exploitation artifact)
C:\ProgramData\SkyPDF\clssrv.inf (injected DLL for privilege escalation)
servtask.bat (privilege escalation script)
cmdpostfix.bat (evidence cleanup script)
C:\Users\Public\Music (tool and ransom note placement directory)

File Extensions

.PLAY

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

Windows CLFS Driver

CVE-2025-29824

7.8

Zero-day privilege escalation exploited prior to April 2025 patch

SimpleHelp Path Traversal

CVE-2024-57727

7.5

Arbitrary file download from RMM systems

SimpleHelp Authorization Bypass

CVE-2024-57726

9.9

API key escalation to privileged user

SimpleHelp File Upload

CVE-2024-57728

7.2

Path traversal via authenticated file upload

Microsoft Exchange Server RCE

CVE-2022-41082

8.8

PowerShell endpoint RCE via ProxyNotShell

Microsoft Exchange Server EoP

CVE-2022-41080

8.8

OWASSRF exploit bypassing ProxyNotShell patches

Microsoft Exchange SSRF

CVE-2022-41040

8.8

SSRF vulnerability enabling remote access

FortiOS SSL VPN Path Traversal

CVE-2018-13379

9.8

Unauthorized file access via path traversal

FortiOS SSL VPN Auth Bypass

CVE-2020-12812

9.8

Bypasses two-factor authentication in login systems