Play
activeAlso known as: PlayCrypt, Play Ransomware
Play ransomware (also known as PlayCrypt) emerged in mid-2022 and has targeted numerous organizations including critical infrastructure. The group is known for exploiting ProxyNotShell vulnerabilities and other Exchange Server flaws.
First Seen
2022-06
Last Activity
2025-01
Target Regions
3 regions
Industries
5 sectors
GovernmentHealthcareTechnologyManufacturingTelecommunications
Attack Chain (MITRE ATT&CK)
Visual representation of the attack phases and techniques used by Play
Click on a phase to view details and MITRE ATT&CK technique IDs
Tactics & Techniques
MITRE ATT&CK mapped tactics and techniques used by this threat actor
Indicators of Compromise (IOCs)
Known IOCs associated with Play operations
| Type | Value | Description | Last Seen | Actions |
|---|---|---|---|---|
| hash | f63a2a5f2cc9f69fcd92a57b4d6ee72fd8e76d7e8ec5f2f5a9a4d6e2e1f0c9b8 | Play ransomware binary | 2025-01-15 | |
| filename | ReadMe.txt | Ransom note | — |
IOCs are defanged for safety. Click copy to get the clean value.
Detection Guidance
SIEM and EDR detection recommendations for identifying Play activity
- 1Monitor Exchange Server for ProxyNotShell exploitation
- 2Detect GPO modifications disabling security tools
- 3Alert on WinRAR command-line archiving
- 4Monitor for .play file extension
Mitigation, Containment & Recovery
Step-by-step guidance for responding to and recovering from this ransomware attack
- 1Patch Microsoft Exchange immediately
- 2Disable OWA if not needed
- 3Block known IOCs