Play, aka PlayCrypt
Threat Actor
Play ransomware mainly works in the Latin American region targeting government entitles. This ransomware’s name was derived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single word, “PLAY,” and the ransomware group’s contact email address.
Unlike most ransomware operations, Play gang affiliates use email as a negotiation channel and will not provide victims with a link to a Tor negotiations page within ransom notes dropped on encrypted systems. However, they are stealing data from their victims' networks before deploying ransomware payloads and will threaten to leak it online if the ransom is not paid.
Incidents Associated with this Threat
- March 24, 2023: Swiss, German-Language Newspaper NZZ Shut Down Production
- March 17, 2023: Ransomware Attack at Dutch Maritime Global Logistics Company
- December 2, 2022: Ransomware Attack for Cloud Provider, Rackspace
Malware Used by this Threat Actor
No malware identified for this threat actor.