Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.
Play continues to target businesses and critical infrastructure across multiple regions. CISA and FBI reporting says Play affected roughly 900 entities as of May 2025, making it a persistent ransomware threat, though the strongest public government-backed figures are from 2025 rather than 2026.
Double extortion
Encryption
Data theft
Operational disruption
Leak site pressure
Exploitation of known vulnerabilities in public-facing assets
Compromised valid accounts
Post-compromise activity
Active Directory reconnaissance
Defense evasion
Persistence
Intermittent encryption
Sensitive data theft
Infrastructure overlap with other ransomware ecosystems
Play Ransomware, also known as PlayCrypt, was first observed in late June 2022.
Play targets organizations in Australia, Latin America, Europe, and the United States.
Play's objective is financial gain through ransomware attacks.
Play targets education, healthcare, insurance, media, technology, and telecommunications.
Play initial access vectors include exploitation of known vulnerabilities in public-facing assets and compromised valid accounts.
Play uses custom and open-source tools such as AdFind, BloodHound, Cobalt Strike, GMER, Mimikatz, and WinPEAS for reconnaissance, defense evasion, and persistence.
Play employs an intermittent encryption scheme based on file size, encrypting chunks of 0x100000 bytes.
Play steals sensitive data and threatens to publish it on its leak site if the ransom is not paid.
Play shares TTPs with other ransomware groups like Hive and Nokayawa.
Recent Play victims include Pearson Ford, Mundt and Associates, Rainbow Distributors USA, Integrated Technologies, and eurOptimum.
Play is associated with CVE-2018-13379, CVE-2022-41082, CVE-2022-41040, CVE-2020-12812, and CVE-2024-57727.
Play poses a significant threat to organizations due to its sophisticated methods and wide range of targeted sectors.
Patch known exploited vulnerabilities in public-facing assets
Require multifactor authentication for remote access and privileged accounts
Monitor for Active Directory reconnaissance tools
Detect use of credential theft and post-exploitation frameworks
Maintain offline or immutable backups
Prepare for data theft and leak-site extortion in addition to encryption
Review operational continuity plans for downtime-sensitive environments
Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.