PLAY

Play, also tracked as Playcrypt, is a ransomware/extortion operation first identified in June 2022. It uses double extortion, exfiltrating data before encrypting victim systems and threatening public release if payment is not made. Victims are instructed to contact unique @gmx.de or @web.de email addresses, and operators have also reportedly phoned victims to pressure payment. As of May 2025, FBI/CISA/ACSC reporting stated the group had compromised more than 900 organizations across North America, South America, and Europe.

Initial access observed for Play includes abuse of valid accounts, use of purchased credentials, exploitation of public-facing applications, and access via RDP and VPN. Reported exploited vulnerabilities include FortiOS CVE-2018-13379 and CVE-2020-12812, Microsoft Exchange ProxyNotShell CVE-2022-41040 and CVE-2022-41082, and more recently CVE-2024-57727 in SimpleHelp. Post-compromise tradecraft described in the content includes scheduled tasks, PowerShell, credential dumping from LSASS and NTDS, domain and security-software discovery, lateral movement over RDP and SMB/Windows Admin Shares, lateral tool transfer, data archiving and exfiltration, clearing Windows event logs, stopping services, inhibiting system recovery, modifying policy, and disabling or modifying security tools.

Tools and malware associated with Play in the content include AdFind and Grixba for Active Directory reconnaissance and antivirus detection; Cobalt Strike, SystemBC, and PsExec for lateral movement and command-and-control; Mimikatz for credential theft/escalation; WinPEAS for privilege enumeration; WinRAR for compression; and WinSCP for exfiltration. The group has also been reported to use GMER, IOBit, and PowerTool to disable endpoint protection and clear logs. Play developed proprietary data-theft tools including Grixba and a VSS Copying Tool. The ransomware encrypts files using a hybrid AES-RSA scheme, appends the .PLAY extension, and skips some system files to preserve system operability. Playcrypt is also reported to use AlphaVSS to delete shadow copies.

A Linux/ESXi variant is described in the content. It powers down virtual machines, encrypts VMware-related files with AES-256, supports campaign-specific flags, and places ransom notes in system directories and as ESXi welcome messages. Separate reporting cited in the content states Play is among ransomware families that adopted Babuk-based ESXi encryptors since H2 2022.

The content describes broad targeting across sectors and geographies, with repeated references to healthcare, manufacturing, telecommunications, finance, government services, and critical infrastructure. Healthcare is specifically highlighted by the American Hospital Association and FBI reporting as a sector affected by Play. Victim tracking in the content shows a heavy concentration in the United States, with additional victims across Canada, Europe, Asia-Pacific, Africa, Latin America, and the Caribbean. Mentioned incidents include the French Rugby Federation before the 2023 Rugby World Cup, Swiss government data exposure via supplier Xplain in 2023, Microchip Technology in 2024, and MyPillow being listed on the leak site.

The content also notes possible use of Play by North Korean actors. It states North Korean government actors have used Play ransomware, references Palo Alto Networks Unit 42 reporting from October 2024 that North Korea-backed APT45 deployed Play, and notes Andariel-linked activity involving Play. High-confidence indicators explicitly listed in the content include the email addresses derdiarikucisv@gmx.de and raniyumiamrm@gmx.de, a YARA artifact named Play.yar, and advisory-listed hashes for artifacts including SVCHost.dll, GRIXBA/Gt_net.exe, PSexesvc.exe, HRsword.exe, Usysdiag.exe, Hi.exe, SystemBC malware, and a public ED25519 key associated with a WinSCP server, though the specific hash values are not provided in the content.