Play, aka PlayCrypt

Threat Actor

Play ransomware mainly works in the Latin American region targeting government entitles. This ransomware’s name was derived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single word, “PLAY,” and the ransomware group’s contact email address.

Unlike most ransomware operations, Play gang affiliates use email as a negotiation channel and will not provide victims with a link to a Tor negotiations page within ransom notes dropped on encrypted systems. However, they are stealing data from their victims' networks before deploying ransomware payloads and will threaten to leak it online if the ransom is not paid.

Incidents Associated with this Threat

March 24, 2023: Swiss, German-Language Newspaper NZZ Shut Down Production
March 17, 2023: Ransomware Attack at Dutch Maritime Global Logistics Company
December 2, 2022: Ransomware Attack for Cloud Provider, Rackspace

Malware Used by this Threat Actor

No malware identified for this threat actor.