Play

Background

Play (also known as PlayCrypt) is a ransomware group that emerged in June 2022 and has steadily grown to become one of the most active ransomware operations globally. The group takes its name from the .play extension appended to encrypted files and its unusually terse ransom notes, which contain only the word "PLAY" along with an email contact address. Little is known about the group's membership or national affiliation, though analysis suggests possible connections to Russian-speaking cybercriminal communities and potential overlap with former Hive ransomware operators.

Play operates with a degree of discipline and consistency that sets it apart from more chaotic ransomware groups. The operation appears to be relatively closed, with a small number of highly skilled operators rather than a large open affiliate program. This is evidenced by the consistent TTPs observed across Play attacks, suggesting a tight-knit team rather than diverse affiliates with varying skill levels. By late 2023, Play had compromised approximately 300 organizations globally.

The group has shown particular focus on exploiting known vulnerabilities in internet-facing infrastructure, especially Microsoft Exchange and Fortinet appliances. Play has also developed custom tooling, including the Grixba information stealer and a proprietary VSS (Volume Shadow Copy) copying tool, demonstrating in-house development capabilities. In December 2023, CISA and the FBI issued a joint advisory warning of Play's widespread targeting across critical infrastructure sectors.

Notable Campaigns

City of Oakland (February 2023): Play ransomware attacked the city government of Oakland, California, forcing a city-wide state of emergency declaration. The attack compromised sensitive employee data, disrupted non-emergency city services, and forced systems offline for weeks. City employees were unable to process permits, manage finances, or access critical systems. The data breach exposed the personal information of current and former city employees.

City of Lowell, Massachusetts (April 2023): Play compromised the city of Lowell, disrupting government operations and forcing phone systems offline. The attack affected city email, computer networks, and public-facing services. Play published stolen data including employee records, financial documents, and identity verification documents on their leak site.

Arnold Clark (December 2022): Europe's largest independent car dealer, Arnold Clark, was hit by Play ransomware. The attack resulted in the theft of customer personal data including identification documents, bank statements, and National Insurance numbers. The company took systems offline for weeks during remediation, affecting sales and service operations across hundreds of dealerships.

Rackspace Technology (December 2022): While initially attributed to Play, the ransomware attack on managed cloud hosting provider Rackspace targeted their hosted Microsoft Exchange environment. The attack disrupted email services for thousands of Rackspace customers and resulted in permanent data loss for some customers. Forensic investigation revealed the attackers exploited a then-novel method called OWASSRF (CVE-2022-41080) to bypass Microsoft's ProxyNotShell mitigations.

Dallas County (October 2023): Play ransomware compromised Dallas County government systems in Texas, one of the most populous counties in the United States. The attack disrupted government operations and resulted in the theft and publication of sensitive county data. The incident highlighted Play's continued targeting of U.S. government entities at the county level.

Tactics, Techniques & Procedures

Play operators gain initial access primarily through exploitation of public-facing applications. The group has been particularly prolific in exploiting Microsoft Exchange vulnerabilities, including ProxyNotShell (CVE-2022-41040, CVE-2022-41082) and OWASSRF (CVE-2022-41080, CVE-2022-41082), as well as Fortinet FortiOS vulnerabilities (CVE-2018-13379, CVE-2020-12812). They also exploit exposed RDP services and compromised VPN accounts purchased from initial access brokers.

Once inside a network, Play follows a structured post-exploitation methodology. The group uses AdFind and Bloodhound for Active Directory reconnaissance, Mimikatz and Windows Credential Manager for credential harvesting, and legitimate system administration tools for lateral movement. Play operators are particularly adept at living-off-the-land, using built-in Windows tools like PowerShell, WMI, and nltest to minimize their detection footprint.

Before deploying ransomware, Play exfiltrates data using WinSCP to external servers over SFTP, splitting large archives into segments for efficient transfer. The ransomware itself uses intermittent encryption (encrypting portions of files rather than entire contents) to accelerate the encryption process. Play targets both Windows environments and VMware ESXi hypervisors with dedicated Linux variants. The group implements robust anti-analysis measures and checks for sandbox environments before execution.

Tools & Malware

• Play Ransomware: The core payload using intermittent encryption with RSA and AES. Available in Windows and Linux (ESXi) variants. Appends .play extension and drops minimal ransom notes.
• Grixba: A custom .NET information stealer and network scanner developed by Play operators. Enumerates software, services, users, and network topology to help prioritize targets and identify security products.
• VSS Copying Tool: A custom tool for extracting files from Volume Shadow Copies, allowing the group to access locked files and older versions of documents for exfiltration.
• SystemBC: A SOCKS5 proxy trojan used for establishing persistent tunneled communication and evading network detection.
• Cobalt Strike: Post-exploitation framework for C2, lateral movement, and in-memory payload execution.
• Mimikatz: Credential harvesting from Windows memory, targeting LSASS dumps and cached credentials.
• AdFind: Command-line Active Directory query tool for domain enumeration and attack path identification.
• PsExec: Microsoft Sysinternals tool for remote execution across domain-joined systems.
• WinSCP: Open-source SFTP client used for data exfiltration to attacker-controlled servers.
• Plink (PuTTY Link): Command-line SSH tool used for tunneling and maintaining encrypted access channels.

Indicators & Detection

Play ransomware is identifiable by the .play file extension on encrypted files. Ransom notes are distinctive in their brevity, containing only the word "PLAY" and an email address (typically using @gmx.de or @protonmail.com domains). Unlike most modern ransomware groups, Play does not provide Tor-based negotiation portals and instead relies on direct email communication.

Prioritize patching of internet-facing Microsoft Exchange servers and Fortinet appliances, as these are Play's preferred entry points. Monitor Exchange servers for indicators of ProxyNotShell and OWASSRF exploitation, including unusual PowerShell execution in the Exchange context, web shell deployment, and unexpected mailbox export requests.

For network detection, monitor for Grixba's network scanning activity (port scans and service enumeration from compromised internal hosts), WinSCP data transfers to unfamiliar external IP addresses, and SystemBC proxy tunnel establishment. On endpoints, detect the use of the custom VSS copying tool (unusual access to Volume Shadow Copy volumes), AdFind execution patterns, and the ransomware's pre-encryption behavior including service termination and shadow copy deletion. Play's use of intermittent encryption means traditional entropy-based ransomware detection may be less effective; behavioral detection that identifies the file modification pattern is more reliable. Implement application allowlisting on critical servers and enforce strict network segmentation between server tiers.