Skip to main content
Mallory
Back to threat actors
10 malware familiesExploits CVEs in the wild

Play

Also known asBalloonflyplayplay_ransomwareplay_ransomware_gangplay_ransomware_groupplaycrypt

Play, also known as Playcrypt and referred to in aliases as Balloonfly, is a ransomware group operating a double-extortion model. The content states that Play significantly increased victim postings in Q4 2023 and remained among the most active ransomware groups through 2025 and Q1 2026, with broad victimization concentrated in the United States and additional victims across Canada, Europe, Asia-Pacific, Africa, Latin America, and the Caribbean. The group has targeted multiple sectors, including healthcare, manufacturing, construction, professional services, government-related entities, and critical infrastructure. The FBI reporting cited in the content says Play operators had allegedly impacted about 900 organizations by May 2025, and the variant consistently ranked among the top threats to critical infrastructure. The content states that Play tends to gain initial access by exploiting known public-facing vulnerabilities, including FortiOS flaws, and also uses valid accounts. Reported tradecraft includes scheduled tasks; PowerShell, including Base64-encoded PowerShell used to disable Microsoft Defender; credential dumping from LSASS and NTDS; discovery of system, network, software, security software, and domain account information; remote services including RDP and SMB/Windows Admin Shares for lateral movement; lateral tool transfer; data archiving and exfiltration over alternative protocols; remote access software for command and control; clearing Windows event logs; stopping services; inhibiting system recovery; modifying group policy or tenant policy; disabling or modifying security tools; and encrypting data for impact. Specific tools and procedures mentioned include use of Grixba to check for security processes; batch scripts to remove indicators of presence; AdFind, Nltest, and BloodHound for network enumeration; GMER, IOBit, and PowerTool to disable antivirus; Wevtutil for artifact removal; and WinSCP command-line transfers for exfiltration in some intrusions. The content also states that Play instructs victims to contact the group by email rather than providing direct payment instructions in ransom notes. Associated artifacts mentioned in the content include a YARA rule named "Play.yar" and the email IOCs derdiarikucisv@gmx.de and raniyumiamrm@gmx.de. The content further notes that Play has used a Babuk-based ESXi encryptor and that ESET reported links between Play, RansomHub, Medusa, and BianLian through shared affiliate tooling, with one affiliate cluster assessed by ESET as most closely resembling Play operations. Separately, the content states that North Korean government actors have used Play ransomware in their intrusions, but it does not attribute Play itself as a North Korean state actor.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Health Care Equipment & Services
  • Government & Administration

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States
MITRE ATT&CK

Tradecraft

59 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

15 of 15 tactics81 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0042
Resource Development
3 techniques
T1587
Develop Capabilities
T1587.001
Malware
T1588
Obtain Capabilities
T1588.001
Malware
T1588.002×2
Tool
T1608
Stage Capabilities
T1608.001×2
Upload Malware
T1608.002×2
Upload Tool
TA0001
Initial Access
3 techniques
T1078×2
Valid Accounts
T1133
External Remote Services
T1190×6
Exploit Public-Facing Application
TA0002
Execution
5 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1059×2
Command and Scripting Interpreter
T1059.001×7
PowerShell
T1059.003
Windows Command Shell
T1129
Shared Modules
T1203
Exploitation for Client Execution
T1574
Hijack Execution Flow
TA0003
Persistence
4 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1078×2
Valid Accounts
T1133
External Remote Services
T1505
Server Software Component
T1505.003
Web Shell
TA0004
Privilege Escalation
4 techniques
T1053
Scheduled Task/Job
T1053.005
Scheduled Task
T1068×2
Exploitation for Privilege Escalation
T1078×2
Valid Accounts
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
TA0005
Stealth
5 techniques
T1027×2
Obfuscated Files or Information
T1070
Indicator Removal
T1070.001
Clear Windows Event Logs
T1070.004×3
File Deletion
T1078×2
Valid Accounts
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1574
Hijack Execution Flow
TA0112
Defense Impairment
1 technique
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
TA0006
Credential Access
4 techniques
T1003×2
OS Credential Dumping
T1003.001
LSASS Memory
T1003.003
NTDS
T1187
Forced Authentication
T1552
Unsecured Credentials
T1557
Adversary-in-the-Middle
T1557.001
Name Resolution Poisoning and SMB Relay
TA0007
Discovery
9 techniques
T1012
Query Registry
T1016
System Network Configuration Discovery
T1018
Remote System Discovery
T1046
Network Service Discovery
T1082
System Information Discovery
T1087
Account Discovery
T1087.002
Domain Account
T1482
Domain Trust Discovery
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
T1518
Software Discovery
T1518.001
Security Software Discovery
TA0008
Lateral Movement
2 techniques
T1021
Remote Services
T1021.001
Remote Desktop Protocol
T1021.002×3
SMB/Windows Admin Shares
T1570
Lateral Tool Transfer
TA0009
Collection
2 techniques
T1557
Adversary-in-the-Middle
T1557.001
Name Resolution Poisoning and SMB Relay
T1560
Archive Collected Data
T1560.001
Archive via Utility
TA0011
Command and Control
3 techniques
T1071×2
Application Layer Protocol
T1132
Data Encoding
T1132.002
Non-Standard Encoding
T1219
Remote Access Tools
TA0010
Exfiltration
3 techniques
T1041
Exfiltration Over C2 Channel
T1048×2
Exfiltration Over Alternative Protocol
T1567×2
Exfiltration Over Web Service
TA0040
Impact
5 techniques
T1485
Data Destruction
T1486×8
Data Encrypted for Impact
T1489
Service Stop
T1490
Inhibit System Recovery
T1657×4
Financial Theft
ARSENAL

Associated malware families

10 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
PLAYSymantec said in May that actors tied to the Play ransomware group were also seen using CVE-2025-29824 in attacks.5Mar 18, 2026
ImpacketThe following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.2Mar 17, 2026
ADFindBy abusing legitimate tools such as Cobalt Strike, Mimikatz, ProcDump, AdFind, and WinPEAS, the group conducts credential theft, privilege escalation, lateral movement, and data exfiltration.1Mar 18, 2026
Cobalt StrikeBy abusing legitimate tools such as Cobalt Strike, Mimikatz, ProcDump, AdFind, and WinPEAS, the group conducts credential theft, privilege escalation, lateral movement, and data exfiltration.1Mar 18, 2026
GrixbaThough the threat actor did not actually deploy Play during the intrusion, it did deploy a custom infostealer called Grixba on the victim system in addition to other malware.1Mar 18, 2026

5 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

14 CVEs this actor has used in observed campaigns. 14 of them exploited in the wild.

CVE-2025-29824Windows Common Log File System Driver Use-After-Free Local Privilege EscalationIn the wildEvidence6

Play Ransomware Attack Exploited CVE-2025-29824 as a 0-Day — ... leveraged CVE-2025-29824, a privilege escalation flaw in the Common Log File System (CLFS) driver that was patched by Microsoft last month. That said, no ransomware was actually deployed in the attack. However, Grixba... was put to use.

CVE-2022-41040ProxyNotShell SSRF in Microsoft Exchange ServerIn the wildEvidence3

Ember Bear ... CVE-2022-41040 ... in Microsoft Exchange... Play ... CVE-2022-41082 and CVE-2022-41040 ("ProxyNotShell") in Microsoft Exchange.

CVE-2022-41082ProxyNotShell RCE in Microsoft Exchange Server PowerShellIn the wildEvidence3

Play has exploited known vulnerabilities for initial access including ... CVE-2022-41082 and CVE-2022-41040 ("ProxyNotShell") in Microsoft Exchange.

CVE-2018-13379Fortinet FortiOS SSL VPN Path Traversal Arbitrary File ReadIn the wildEvidence2

Agrius exploits public-facing applications for initial access to victim environments. Examples include widespread attempts to exploit CVE-2018-13379 in FortiOS devices... APT29 has exploited ... CVE-2018-13379 for FortiGate VPNs... Dragonfly ... exploited ... CVE-2018-13379 for Fortinet VPNs... Magic Hound ... exploited ... Fortios SSL VPNs (CVE-2018-13379). Play ... including CVE-2018-13379 ... in FortiOS.

CVE-2020-12812FortiOS SSL VPN 2FA Bypass via Username Case ManipulationIn the wildEvidence2

Play has exploited known vulnerabilities for initial access including CVE-2018-13379 and CVE-2020-12812 in FortiOS

9 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

55 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

55 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
register securityNews
May 26, 2026
MyPillow appears on Play ransomware leak site

Conducting ransomware and extortion operations, including alleged data theft from MyPillow, prior theft of Swiss government files via Xplain, and attacks affecting Microchip Technology. The content also notes Play as a top ransomware threat targeting critical infrastructure.

Read more
ransomware liveNews
May 25, 2026
Ransomware.live: play

Ransomware intrusion activity involving initial access, credential access, discovery, lateral movement, collection, exfiltration, command and control, and impact across many organizations. The content associates Play with exploitation of public-facing applications, credential dumping, remote services abuse, PowerShell execution, defense evasion, and ransomware encryption.

Read more
codebyNews
May 20, 2026
Ransomware-as-a-Service 2026: TTPs и detection

Named as one of five ransomware operators publishing new victims on DLS infrastructure in a single day as part of the fragmented 2026 RaaS landscape.

Read more
checkpoint research blogNews
May 11, 2026
The State of Ransomware - Q1 2026 - Check Point Research

Closed-group ransomware operation with strong US targeting bias and centralized target selection.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping59

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal10

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs14

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables55

Domains, IPs, and hashes tied to this actor, refreshed continuously.