Play, aka PlayCrypt

Threat Actor

Play ransomware mainly works in the Latin American region targeting government entitles. This ransomware’s name was derived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single word, “PLAY,” and the ransomware group’s contact email address.

Unlike most ransomware operations, Play gang affiliates use email as a negotiation channel and will not provide victims with a link to a Tor negotiations page within ransom notes dropped on encrypted systems. However, they are stealing data from their victims' networks before deploying ransomware payloads and will threaten to leak it online if the ransom is not paid.

Malware Used by this Threat Actor

No malware identified for this threat actor.