Play
Aliases: None listed
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.
Open interactive actor investigation
ATT&CK techniques
T1030
Data Transfer Size LimitsT1016
System Network Configuration DiscoveryT1048
Exfiltration Over Alternative ProtocolT1070.004
File DeletionT1059.003
Windows Command ShellT1059.001
PowerShellT1560.001
Archive via UtilityT1018
Remote System DiscoveryT1057
Process DiscoveryT1027.010
Command ObfuscationT1587.001
MalwareT1078.003
Local AccountsT1562.001
Disable or Modify ToolsT1021.002
SMB/Windows Admin SharesT1078
Valid AccountsT1105
Ingress Tool TransferT1078.002
Domain AccountsT1082
System Information DiscoveryT1083
File and Directory DiscoveryT1518.001
Security Software DiscoveryT1133
External Remote ServicesT1588.002
ToolT1190
Exploit Public-Facing ApplicationT1003.001
LSASS MemoryT1657
Financial TheftT1070.001
Clear Windows Event Logs
Data Transfer Size LimitsT1016
System Network Configuration DiscoveryT1048
Exfiltration Over Alternative ProtocolT1070.004
File DeletionT1059.003
Windows Command ShellT1059.001
PowerShellT1560.001
Archive via UtilityT1018
Remote System DiscoveryT1057
Process DiscoveryT1027.010
Command ObfuscationT1587.001
MalwareT1078.003
Local AccountsT1562.001
Disable or Modify ToolsT1021.002
SMB/Windows Admin SharesT1078
Valid AccountsT1105
Ingress Tool TransferT1078.002
Domain AccountsT1082
System Information DiscoveryT1083
File and Directory DiscoveryT1518.001
Security Software DiscoveryT1133
External Remote ServicesT1588.002
ToolT1190
Exploit Public-Facing ApplicationT1003.001
LSASS MemoryT1657
Financial TheftT1070.001
Clear Windows Event Logs
Correlated CTI and IR reports
AI in Offensive Operations: How Threat Actors Use Artificial Intelligence
1200km CTI repository · explicit report mentionAPT39 (Chafer / Remix Kitten)
Israel Threat Actors CTI · explicit report mentionAndroid Malware Analysis A Practical Guide for Security Analysts
1200km Medium · authored report mentionInformation Security Awareness Principles and Best Practices for Employees
1200km Medium · authored report mentionSingle Event Detection Rules in Cybersecurity
1200km Medium · authored report mentionThe 20x Employee A Strategic Framework for Unlocking Hyper Productivity with Artificial
1200km Medium · authored report mention
1200km CTI repository · explicit report mentionAPT39 (Chafer / Remix Kitten)
Israel Threat Actors CTI · explicit report mentionAndroid Malware Analysis A Practical Guide for Security Analysts
1200km Medium · authored report mentionInformation Security Awareness Principles and Best Practices for Employees
1200km Medium · authored report mentionSingle Event Detection Rules in Cybersecurity
1200km Medium · authored report mentionThe 20x Employee A Strategic Framework for Unlocking Hyper Productivity with Artificial
1200km Medium · authored report mention