Skip to content
The Nexus
Group profile28 claimed in last 30d49 total tracked

play

Forward this

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to other ransomwares, involving attacks such as Phishing, Exposed Services to the Internet, and Valid Account compromises. On April 19, 2023, the security company Symantec published two new tools developed by the Play group. These tools allow the malicious actor to enumerate and exfiltrate data from the internal network. The post mentions the following: 'Play threat actors use the .NET infostealer to enumerate software and services via WMI, WinRM, Remote Registry, and Remote Service. The malware checks for the existence of security and backup software, as well as remote administration tools and other programs, saving the information in .CSV files that are compressed into a .ZIP file for later manual exfiltration by threat actors.'Source: https://github.com/crocodyli/ThreatActors-TTPs

First seen: May 19 · 14:53 UTCLast seen: Jul 7 · 17:55 UTC
Sectors hit
  • Unspecified5
  • Consumer Services4
  • Business Services4
  • Technology3
  • Transportation/Logistics2
  • Telecommunication2
  • Construction2
  • Agriculture and Food Production2
Countries hit
  • United States18
  • Germany3
  • Netherlands2
  • United Kingdom1
  • Canada1
  • Australia1
MITRE ATT&CK · observed TTPs10 tactics

Tactics and techniques attributed to PLAY by ransomware.live's curated TTP catalog. Identifiers link to the canonical MITRE ATT&CK reference for each tactic or sub-technique.

  • TA0001Initial Access
    • T1078Valid Accounts

      Compromised VPN credentials used to authenticate directly to victim networks.

    • T1190Exploit Public-Facing Application

      Play exploits vulnerabilities in Microsoft Exchange (ProxyNotShell CVE-2022-41040/CVE-2022-41082), FortiOS SSL VPN (CVE-2018-13379), and RDP to gain initial access.

  • TA0002Execution
    • T1053.005Scheduled Task/Job: Scheduled Task

      Scheduled tasks used for payload persistence and execution across compromised hosts.

    • T1059Command and Scripting Interpreter
    • T1059.001Command and Scripting Interpreter: PowerShell

      PowerShell scripts used for payload execution and post-exploitation tooling deployment.

  • TA0005Defense Evasion
    • T1027Obfuscated Files or Information

      Play ransomware payloads are split into multiple parts to bypass AV scanning; parts reassembled on target systems.

    • T1070Indicator Removal
    • T1070.001Indicator Removal: Clear Windows Event Logs

      Windows event logs wiped to remove forensic evidence using wevtutil.

    • T1484Domain or Tenant Policy Modification
    • T1484.001Domain or Tenant Policy Modification: Group Policy Modification
    • T1562.001Disable or Modify Tools

      Security tools including Windows Defender and AV products disabled prior to encryption.

  • TA0006Credential Access
    • T1003OS Credential Dumping
    • T1003.001OS Credential Dumping: LSASS Memory

      Mimikatz and similar tools used for LSASS memory dumping to harvest credentials.

    • T1003.003OS Credential Dumping: NTDS

      NTDS.dit extracted from domain controllers to obtain all domain account hashes.

    • T1552Unsecured Credentials
  • TA0007Discovery
    • T1016System Network Configuration Discovery
    • T1046Network Service Discovery

      Network scanning tools used to enumerate hosts, services, and potential lateral movement targets.

    • T1087.002Account Discovery: Domain Account

      Active Directory enumeration to identify privileged accounts and high-value targets.

    • T1518Software Discovery
    • T1518.001Software Discovery: Security Software Discovery
  • TA0008Lateral Movement
    • T1021.001Remote Services: Remote Desktop Protocol

      RDP used for lateral movement across victim networks.

    • T1021.002Remote Services: SMB/Windows Admin Shares

      PsExec and SMB used to propagate payloads laterally.

    • T1570Lateral Tool Transfer
  • TA0009Collection
    • T1560Archive Collected Data
    • T1560.001Archive Collected Data: Archive via Utility

      WinRAR used to compress and archive stolen data prior to exfiltration.

  • TA0010Exfiltration
    • T1048Exfiltration Over Alternative Protocol

      WinSCP and Rclone used to exfiltrate data to actor-controlled infrastructure and cloud storage ahead of encryption.

  • TA0011Command and Control
    • T1219Remote Access Software

      Cobalt Strike, SystemBC, and AnyDesk used as C2 frameworks for persistent access.

  • TA0040Impact
    • T1486Data Encrypted for Impact

      Play ransomware uses AES-RSA hybrid encryption. Files appended with .play extension. Targets Windows and Linux/ESXi environments. Double extortion model with data published on Play leak site. Notable for NOT including ransom note in individual encrypted files — single note left at root of C: drive.

    • T1489Service Stop

      Database, mail, backup, and security services terminated before encryption to ensure maximum file access.

    • T1490Inhibit System Recovery

      Shadow copies deleted and Windows recovery disabled to prevent victim restoration of files.

    • T1657Financial Theft
Recent claimed victims
Jul 7 · 19:53 UTC

Preneed Funeral Programs

Consumer ServicesUnited StatesJul 7 · 17:56 UTC

Preneed Funeral Programs

www.preneed.net
Jul 7 · 17:30 UTC

Kevin Bao Lenguyen

www.kblaa.com
EnergyUnited StatesJul 7 · 17:30 UTC

United Infrastructure

www.unitedinfrastructure.com
Jul 4 · 09:51 UTC

Silvestri & Associates Insurance

ConstructionAustraliaJul 4 · 07:56 UTC

Locati Architects

www.locatiarchitects.com
Financial ServicesUnited StatesJul 4 · 07:55 UTC

Silvestri & Associates Insurance

www.silvestriandassociates.com
ConstructionUnited StatesJun 30 · 18:58 UTC

Western Construction

www.wciboise.com
Consumer ServicesUnited StatesJun 27 · 18:27 UTC

J&J Gaming

www.jjgaming.com
GermanyJun 27 · 18:27 UTC

Kuhnline

www.kuhnline.com
Jun 26 · 16:59 UTC

Benchmark Industrial Supply

Business ServicesUnited StatesJun 26 · 15:24 UTC

Benchmark Industrial Supply

www.benchmarkinc.com
Jun 17 · 20:46 UTC

Integrated Technologies

United StatesJun 17 · 18:26 UTC

Greg Crosslin

www.destinlegal.com
TechnologyJun 17 · 17:54 UTC

Integrated Technologies

www.itc4u.com
TechnologyGermanyJun 17 · 17:54 UTC

eurOptimum

www.europtimum.com
Jun 10 · 17:46 UTC

Rainbow Distributors USA

Business ServicesUnited StatesJun 10 · 15:54 UTC

Mundt and Associates

www.mundtinc.com
Consumer ServicesUnited StatesJun 10 · 15:53 UTC

Rainbow Distributors USA

www.rainbowdistributorsusa.com
Transportation/LogisticsUnited KingdomJun 6 · 13:23 UTC

Pearson Ford

www.pearsonford.com
Agriculture and Food ProductionUnited StatesJun 4 · 21:57 UTC

Urschel Laboratories

www.urschel.com
Business ServicesUnited StatesJun 4 · 21:57 UTC

Dallis Law Firm

www.dallislawfirm.com
ManufacturingUnited StatesJun 4 · 21:56 UTC

Corley MFG

www.corleymfg.com
Jun 1 · 12:29 UTC

Hightower Communications

TechnologyCanadaJun 1 · 09:53 UTC

Digitall Graphics

www.digitallgraphics.ca
TelecommunicationUnited StatesJun 1 · 09:22 UTC

Hightower Communications

www.hightowernc.com
Business ServicesUnited StatesMay 25 · 20:25 UTC

GW Mechanical

www.gwmechanical.com
Agriculture and Food ProductionNetherlandsMay 25 · 20:24 UTC

NL Fisher

www.nlfisher.com
Hospitality and TourismUnited StatesMay 25 · 20:24 UTC

Round Hill Country Club

www.rhcountryclub.com
TelecommunicationUnited StatesMay 25 · 20:24 UTC

Legend Networking & Telecom

www.legendnt.com
Transportation/LogisticsNetherlandsMay 25 · 19:33 UTC

De Waard Transport

www.dewaardtransport.nl
GermanyMay 19 · 14:53 UTC

Zuther Hautmann

www.z-h.de
PLAY · Underground group profile · The Nexus