Threat Actor Profile

Play

Aliases
  • PlayCrypt
  • Play Gang
Origin
Russia
Active Since
2022-06-01
Motivation
Financial gain, Extortion, Operational disruption
Cause
Cybercriminal
Recent Activity

Play continues to target businesses and critical infrastructure across multiple regions. CISA and FBI reporting says Play affected roughly 900 entities as of May 2025, making it a persistent ransomware threat, though the strongest public government-backed figures are from 2025 rather than 2026.

Primary Targets
  • Manufacturing organizations
  • Engineering organizations
  • Retail organizations
  • Business services organizations
  • Transportation organizations
  • Education organizations
  • Healthcare organizations
  • Insurance organizations
  • Media organizations
  • Technology organizations
  • Telecommunications organizations
Target Locations
  • United States
  • Canada
  • United Kingdom
  • Germany
  • Australia
  • Latin America
  • Europe
Target Sectors
  • Manufacturing
  • Engineering
  • Retail
  • Business Services
  • Transportation
  • Education
  • Healthcare
  • Insurance
  • Media
  • Technology
  • Telecommunications
Techniques
  • Double extortion

  • Encryption

  • Data theft

  • Operational disruption

  • Leak site pressure

  • Exploitation of known vulnerabilities in public-facing assets

  • Compromised valid accounts

  • Post-compromise activity

  • Active Directory reconnaissance

  • Defense evasion

  • Persistence

  • Intermittent encryption

  • Sensitive data theft

  • Infrastructure overlap with other ransomware ecosystems

Malware Tools
  • AdFind
  • BloodHound
  • Cobalt Strike
  • GMER
  • Mimikatz
  • WinPEAS
Bitsight Contextualized Intelligence
  • Play Ransomware, also known as PlayCrypt, was first observed in late June 2022.

  • Play targets organizations in Australia, Latin America, Europe, and the United States.

  • Play's objective is financial gain through ransomware attacks.

  • Play targets education, healthcare, insurance, media, technology, and telecommunications.

  • Play initial access vectors include exploitation of known vulnerabilities in public-facing assets and compromised valid accounts.

  • Play uses custom and open-source tools such as AdFind, BloodHound, Cobalt Strike, GMER, Mimikatz, and WinPEAS for reconnaissance, defense evasion, and persistence.

  • Play employs an intermittent encryption scheme based on file size, encrypting chunks of 0x100000 bytes.

  • Play steals sensitive data and threatens to publish it on its leak site if the ransom is not paid.

  • Play shares TTPs with other ransomware groups like Hive and Nokayawa.

  • Recent Play victims include Pearson Ford, Mundt and Associates, Rainbow Distributors USA, Integrated Technologies, and eurOptimum.

  • Play is associated with CVE-2018-13379, CVE-2022-41082, CVE-2022-41040, CVE-2020-12812, and CVE-2024-57727.

  • Play poses a significant threat to organizations due to its sophisticated methods and wide range of targeted sectors.

Defensive Takeaways
  • Patch known exploited vulnerabilities in public-facing assets

  • Require multifactor authentication for remote access and privileged accounts

  • Monitor for Active Directory reconnaissance tools

  • Detect use of credential theft and post-exploitation frameworks

  • Maintain offline or immutable backups

  • Prepare for data theft and leak-site extortion in addition to encryption

  • Review operational continuity plans for downtime-sensitive environments

How Bitsight Helps

Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.

Request threat intel demo