Threat Actor Profile
Description
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023) Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to other ransomwares, involving attacks such as Phishing, Exposed Services to the Internet, and Valid Account compromises. On April 19, 2023, the security company Symantec published two new tools developed by the Play group. These tools allow the malicious actor to enumerate and exfiltrate data from the internal network. The post mentions the following: 'Play threat actors use the .NET infostealer to enumerate software and services via WMI, WinRM, Remote Registry, and Remote Service. The malware checks for the existence of security and backup software, as well as remote administration tools and other programs, saving the information in .CSV files that are compressed into a .ZIP file for later manual exfiltration by threat actors.'Source: https://github.com/crocodyli/ThreatActors-TTPs
Confidence Score
Known Aliases
Tags
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (26)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
[{'aliases': ['Play'],
'created': '2024-09-24T19:48:18.278Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Play](https://attack.mitre.org/groups/G1040) is a '
'ransomware group that has been active since at least 2022 '
'deploying '
'[Playcrypt](https://attack.mitre.org/software/S1162) '
'ransomware against the business, government, critical '
'infrastructure, healthcare, and media sectors in North '
'America, South America, and Europe. '
'[Play](https://attack.mitre.org/groups/G1040) actors employ '
'a double-extortion model, encrypting systems after '
'exfiltrating data, and are presumed by security researchers '
'to operate as a closed group.(Citation: CISA Play Ransomware '
'Advisory December 2023)(Citation: Trend Micro Ransomware '
'Spotlight Play July 2023)',
'external_references': [{'external_id': 'G1040',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G1040'},
{'description': 'CISA. (2023, December 18). '
'#StopRansomware: Play Ransomware '
'AA23-352A. Retrieved September 24, '
'2024.',
'source_name': 'CISA Play Ransomware Advisory '
'December 2023',
'url': 'https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a'},
{'description': 'Trend Micro Research. (2023, July '
'21). Ransomware Spotlight: Play. '
'Retrieved September 24, 2024.',
'source_name': 'Trend Micro Ransomware Spotlight '
'Play July 2023',
'url': 'https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play'}],
'id': 'intrusion-set--ecbf507f-6786-4121-a4cc-0fd6a8d3a29d',
'modified': '2024-10-02T05:37:34.149Z',
'name': 'Play',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Marco Pedrinazzi, @pedrinazziM'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.0'},
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Initially observed in June 2022, the Play ransomware (a.k.a '
'PlayCrypt) operates through double extortion, targeting '
'numerous organizations in Latin America. Its Initial Access '
'method is quite similar to other ransomwares, involving '
'attacks such as Phishing, Exposed Services to the Internet, '
'and Valid Account compromises.<br> <br> On April 19, 2023, '
'the security company Symantec published two new tools '
'developed by the Play group. These tools allow the malicious '
'actor to enumerate and exfiltrate data from the internal '
"network. The post mentions the following: 'Play threat "
'actors use the .NET infostealer to enumerate software and '
'services via WMI, WinRM, Remote Registry, and Remote '
'Service. The malware checks for the existence of security '
'and backup software, as well as remote administration tools '
'and other programs, saving the information in .CSV files '
'that are compressed into a .ZIP file for later manual '
"exfiltration by threat actors.'Source: "
'https://github.com/crocodyli/ThreatActors-TTPs',
'firstseen': '2022-11-26T19:33:43.668769+00:00',
'group': 'play',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2026-04-06T19:42:57.403670+00:00',
'locations': [{'available': False,
'fqdn': 'j75o7xvvsm4lpsjhkjvb4wl2q6ajegvabe6oswthuaubbykk4xkzgpid.onion',
'slug': 'http://j75o7xvvsm4lpsjhkjvb4wl2q6ajegvabe6oswthuaubbykk4xkzgpid.onion',
'title': '',
'type': 'DLS'},
{'available': True,
'fqdn': 'mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion',
'slug': 'http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion/index.php?page=1',
'title': 'PLAY NEWS',
'type': 'DLS'},
{'available': False,
'fqdn': 'k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion',
'slug': 'http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion/',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 3,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'j75o7xvvsm4lpsjhkjvb4wl2q6ajegvabe6oswthuaubbykk4xkzgpid.onion',
'slug': 'http://j75o7xvvsm4lpsjhkjvb4wl2q6ajegvabe6oswthuaubbykk4xkzgpid.onion',
'title': '',
'type': 'DLS'},
{'available': True,
'fqdn': 'mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion',
'slug': 'http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion/index.php?page=1',
'title': 'PLAY NEWS',
'type': 'DLS'},
{'available': False,
'fqdn': 'k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion',
'slug': 'http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion/',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 3,
'ransomware_live_group': 'play',
'tools': {'CredentialTheft': ['Mimikatz',
'HandleKatz',
'Nanodump'],
'DefenseEvasion': ['GMER',
'IOBit',
'PowerTool',
'EDRKill (echo_driver.sys + '
'DBUtil 2.3)',
'icardagt.exe (version.dll '
'DLL sideload)'],
'DiscoveryEnum': ['AdFind', 'WKTools'],
'Exfiltration': ['WinSCP'],
'LOLBAS': ['PsExec'],
'Networking': ['FRP', 'Plink'],
'Offsec': ['Cobalt Strike', 'WinPEAS'],
'RMM-Tools': []},
'url': 'https://www.ransomware.live/group/play',
'victims': 1239,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Mimikatz', 'HandleKatz', 'Nanodump'],
'DefenseEvasion': ['GMER',
'IOBit',
'PowerTool',
'EDRKill (echo_driver.sys + DBUtil 2.3)',
'icardagt.exe (version.dll DLL sideload)'],
'DiscoveryEnum': ['AdFind', 'WKTools'],
'Exfiltration': ['WinSCP'],
'LOLBAS': ['PsExec'],
'Networking': ['FRP', 'Plink'],
'Offsec': ['Cobalt Strike', 'WinPEAS'],
'RMM-Tools': []},
'ttps': [],
'url': 'https://www.ransomware.live/group/play',
'victims': 1239,
'vulnerabilities': []}]