Under Review ACTIVE

Play Ransomware

Also known as: PLAY, Playcrypt
Affiliation Cybercriminal
Motivation Financial
Status active
Country Unknown
First Seen 2022
Last Seen 2026-03
Target Sectors Government, Healthcare, Education, Financial Services
Target Geographies North America, South America, Europe

Executive Summary

Play Ransomware (also tracked as PLAY or Playcrypt) is a financially motivated ransomware group that emerged in 2022 and has repeatedly targeted governments, healthcare providers, schools, and private-sector enterprises across the Americas and Europe. Unlike some large affiliate marketplaces, Play is often described as a more tightly controlled extortion crew that nevertheless shares tradecraft with other modern ransomware ecosystems. Its hallmark behaviors include rapid post-compromise movement, data theft before encryption, and sparse ransom notes that simply say “PLAY” and provide a dark-web contact path.

Notable Campaigns

  • Rackspace Hosted Exchange Disruption: In late 2022, Play was publicly linked to the ProxyNotShell compromise of Rackspace Hosted Exchange, causing broad downstream disruption.
  • City of Oakland Ransomware Attack: Play was widely linked to the 2023 City of Oakland incident, which caused severe municipal IT disruption and emergency response measures.
  • Widespread Exploitation Operations: By 2024-2025, Play remained one of the most active leak-site ransomware brands in public victim reporting.

Technical Capabilities

Play Ransomware reporting frequently highlights exploitation of exposed edge infrastructure and use of compromised credentials for initial access, especially around Microsoft Exchange and enterprise VPN environments. Once inside, operators lean heavily on living-off-the-land techniques and common post-exploitation tooling such as Cobalt Strike, SystemBC, and Mimikatz. Their custom payload uses intermittent encryption for speed and appends the .play extension to encrypted files.

Attribution

Play Ransomware is assessed as a financially motivated cybercriminal syndicate. Public reporting has not established a definitive state nexus. Some analysts note operational and tooling overlap with other ransomware ecosystems, but the safest public framing is that Play is its own criminal extortion cluster with recurring similarities to peers rather than a formally proven rebrand of another family.

MITRE ATT&CK Profile

Initial Access: Exploitation of public-facing applications (T1190) and compromised valid accounts (T1078) appear repeatedly in Play intrusions.

Credential Access and Movement: Play operators use credential dumping, remote access tooling, and rapid lateral movement to stage broad network impact before detonation.

Impact: Play deploys ransomware for data encryption and extortion (T1486) after staging or stealing sensitive data.

Sources & References

Known Tools

Play RansomwareCobalt StrikeSystemBCMimikatz
financially-motivatedcybercrimeransomware