Play (AKA PlayCrypt) ransomware is a private ransomware operation that has been active since, at least, June 2022. The group operates in a double extortion method, where the victim data is stolen and leaked via a data leak site if the ransom demand is not paid. According to the group’s data leak site, the operation remains a closed operation that is designed to “guarantee the secrecy of deals.” Despite reports that the group opened their operations to a RaaS in late 2023, the group’s data leak site contains a statement that they are private and have not, and do not plan to, open their operation.
Play ransomware operators gain initial access through a variety of methods, including the abuse of valid accounts, exploiting vulnerabilities, specifically FortiOS and Microsoft Exchange instances, social engineering attacks, and abusing external facing services, including RDP and VPN.
Play ransomware has been assessed to operate in a similar manner to Hive and Nokoyawa ransomware operations; however, as many ransomware operations follow similar behaviors, it is not known the extent of the relationship between these operations. Play and Quantum ransomware operations partly share the same infrastructure, in that Cobalt Strike beacons observed in Play attacks contain the same watermarks as those that had been dropped by Emotet and SVCReady botnets in Quantum ransomware attacks.
Play ransomware is written in C++ and contains several anti-debugging and anti-analysis features to slow investigations into the behaviors of the ransomware, including garbage code and function returns that drive execution into a dead end.
In 2025, it was reported that the Play binary is recompiled for every attack. This results in unique hashes for each deployment, making anti-malware and anti-virus program detection of the malware more difficult.
The group utilizes the public music folder to hide their malicious files and creates new, high-privilege accounts, on victim machines. The Play ransomware group uses intermittent encryption that encrypts chunks of 0x10000 bytes. The observed samples encrypt every other 0x10000 byte chunk until the end of the file.
In 2024, Trend Micro security researchers reported that Play ransomware operators had developed and began deploying a Linux variant of the ransomware. The variant only encrypts files when running in a VMware ESXi environment. The identification of a Linux version indicates that the group is likely attempting to expand their operations.
Additionally, the researchers reported that a URL used to host the Play ransomware payload and its tools is related to another threat actor, Prolific Puma. This indicates that the two groups are likely related in some capacity.
In ransom notes, Play operators have been observed providing emails ending in “gmx[.]de” or web[.]de” for victims to contact the group.
