Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Play Ransomware

124
Global rank
56 infographic chevron month
Month rank
60 infographic chevron week
Week rank
0
IOCs

Play aka PlayCrypt ransomware group has been successfully targeting corporations, municipal entities, and infrastruction all over the world for about three years. It infiltrates networks via software vulnerabilities, phishing links and compromised websites. The ransomware abuses Windows system services to evade detection and maintain persistence. Play encrypts user files and steals sensitive data while demanding a ransom.

Ransomware
Type
Unknown
Origin
1 March, 2022
First seen
10 February, 2025
Last seen
Also known as
PlayCrypt

How to analyze Play Ransomware with ANY.RUN

Type
Unknown
Origin
1 March, 2022
First seen
10 February, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 531
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1401
comments 0
post image
Release Notes: System Updates, New YARA and S...
watchers 4979
comments 0

What is Play ransomware?

Play aka PlayCrypt is relatively new yet already notorious ransomware group active since mid-2022. It has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe.

It is based on double extortion technique and has intermittent encryption as its signature feature. Partial encryption is completed much faster, besides, it prevents detection by security solutions that monitor files for extensive modifications.

It infiltrates the targeted system by exploiting vulnerabilities in public-facing applications, such as Microsoft Exchange Server. It is also distributed via phishing emails containing malicious attachments or links. Malicious ads and compromised websites has also been detected as distribution vehicles.

Play Ransomware ransom note in the ANY.RUN Sandbox Play Ransomware ransom note shown in the ANY.RUN sandbox

To move laterally within the network and deploy the ransomware payload, it abuses the legitimate tools and built-in system utilities (e.g., PowerShell, PsExec, Cobalt Strike).

After exfiltrating sensitive data, the ransomware encrypts files, adds the .play extension, and leaves a ransom note in each affected directory containing instructions on how to pay the ransom.

Play ransomware uses anti-analysis techniques to evade detection by security software, creates scheduled tasks and modifies registry entries to maintain persistence.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Play ransomware technical details

Play Ransomware is equipped with advanced capabilities focused on maximizing impact on the victims’ infrastructure:

  • Double Extortion: Data encryption and theft for increased ransom leverage.
  • Partial File Encryption: Evades detection, speeds encryption by encrypting file portions rather than entire files.
  • Security Disabling: Disables security systems to facilitate encryption and maintain persistence.
  • Log Removal: Removes system logs to obscure activity and hinder forensics.
  • Lateral Movement: Spreads within networks, increasing attack scope and leverage.
  • Network Reconnaissance: Uses NetScan for network topology and target identification to enable lateral movement.
  • Credential Dumping: Employs Mimikatz for credential extraction to facilitate privilege escalation and lateral movement.
  • Privilege Escalation: Leverages publicly available Windows Privilege Escalation Awesome Scripts for privilege escalation, enabling system-level access.
  • Remote Control: Utilizes AnyDesk and Cobalt Strike for persistent remote access, command execution, and potential data exfiltration.

Play execution process

Let’s upload the Play Ransomware to ANY.RUN’s Interactive Sandbox for analysis to see how it operates.

Play Ransomware analysis in the ANY.RUN Sandbox Play Ransomware analysis session in the ANY.RUN sandbox

A typical Play ransomware attack begins with gaining initial access to the victim’s network via exploiting public-facing applications or abusing valid accounts.

Once inside the targeted environment, the malware focuses on stealth by heavily relying on Living Off the Land Binaries (LOLBins). To facilitate lateral movement and execute files, Play may use command-and-control applications like Cobalt Strike or SystemBC.

Play Ransomware analysis in the ANY.RUN Sandbox Play Ransomware process analysis in the ANY.RUN sandbox

Before encrypting files, Play ransomware operators exfiltrate data. They do this by splitting compromised data into segments, compressing files, and transferring them to actor-controlled accounts.

After exfiltration, the ransomware encrypts files using an AES-RSA hybrid approach with intermittent encryption while skipping system files.

Encrypted files are appended with the .play extension, and a ransom note named ReadMe.txt is placed in the file directory on the C:\ partition.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Collect Cyber Threat Intelligence on Play Ransomware

To get the most current information about Play Ransomware, use Threat Intelligence Lookup. It contains data extracted from millions of public malware analyses conducted in ANY.RUN’s Interactive Sandbox.

You can use over 40 different search parameters, including specific IPs, domains, file names, or even mutexes. Using these filters, you can quickly gather important details about threats like Play Ransomware.

For example, if you were investigating Play Ransomware, you could start by directly searching for its name within the Threat Intelligence Lookup. Or, if you had other clues like unique file codes (hashes) or website connections it uses, you could search with those instead.

Play Ransomware search results in TI Lookup Search results for Play Ransomware in TI Lookup

A simple and effective search would be to use the search term: threatName:"Play". This type of search will show you a list of sandbox reports associated with Play Ransomware. You can then explore these reports to get a deep understanding of exactly how this ransomware works and what it does.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Play distribution methods

Play Ransomware commonly gains initial access through several attack vectors. Compromised Remote Desktop Protocol (RDP) servers are a frequent entry point, often due to weak security configurations. Attackers exploit known vulnerabilities like CVE-2020-12812 in RDP services to bypass authentication and gain unauthorized system access.

Another prevalent method involves exploiting CVE-2022-41040, the ProxyNotShell vulnerability in Microsoft Exchange, allowing for remote code execution directly on vulnerable servers.

Conclusion

Play Ransomware poses a serious risk to organizations. Its blend of advanced techniques, such as partial encryption and lateral movement, coupled with readily exploitable entry points like RDP and VPN vulnerabilities, requires comprehensive security attention.

To prevent Play Ransomware infections, organizations can analyze suspicious files and URLs in ANY.RUN's Interactive Sandbox. The service provides fast insights into the malicious behavior and allows users to manually engage with threats in a safe environment just like on a standard computer.

Sign up for a free ANY.RUN account

HAVE A LOOK AT

DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More
Lynx screenshot
Lynx
lynx
Lynx is a double extortion ransomware: attackers encrypt important and sensitive data and demand a ransom for decryption simultaneously threatening to publish or sell the data. Active since mid-2024. Among techniques are terminating processes and services, privilege escalation, deleting shadow copies. Distribution by phishing, malvertising, exploiting vulnerabilities.
Read More