Operational characteristics and cybersecurity implications of the Play ransomware group’s targeted attacks

CybersecurityHQ - Free in-depth report

Welcome reader to a 🔍 free deep dive. No paywall, just insights.

Brought to you by:

👣 Smallstep – Secures Wi‑Fi, VPNs, ZTNA, SaaS, cloud APIs, and more using hardware-bound credentials with ACME Device Attestation while solving the other half of Zero Trust

🏄‍♀️ Upwind Security – Real-time cloud security that connects runtime to build-time to stop threats and boost DevSecOps productivity

🔧 Endor Labs – Application security for the software development revolution, from ancient C++ code to bazel monorepos, and everything in between

🧠 Ridge Security – The AI-powered offensive security validation platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

Get one-year access to our deep dives, weekly Cyber Intel Podcast Report, premium content, AI Resume Builder, and more for just $299. Corporate plans are available too.

Executive Summary

Play ransomware has compromised approximately 900 organizations since October 2023, ranking among the top five global ransomware groups (FBI, 2025). This report examines Play’s sophisticated tactics, including intermittent encryption, exploitation of vulnerabilities like CVE-2025-29824, and collaboration with North Korean actors like Jumpy Pisces (Unit 42, 2024).

With ransom demands of $150,000–$250,000 and broader incident costs reaching millions, Play targets manufacturing, healthcare, and government sectors, primarily in the U.S. (FBI, 2025). Defensive strategies include immediate patching, FIDO2 authentication, and behavioral EDR deployment. Organizations must also prepare for psychological tactics like voice-based harassment to counter this evolving threat.

Background and Evolution

Play ransomware first appeared in June 2022, initially targeting government infrastructure in Argentina (BleepingComputer, 2022). The group demonstrated rapid operational maturity, expanding to international targets including Rackspace's email services and municipal networks in Antwerp by December 2022 (Symantec, 2025).

Analysis of Play's growth trajectory reveals consistent expansion. The group ranked second among ransomware operators in Q1 2024 with 89 confirmed victims, representing 7.3% of global ransomware incidents (Adlumin, 2024). By April 2025, Play maintained high operational tempo with 39 attacks in a single month (ZeroFox, 2025). Despite law enforcement successes against competitors like LockBit and ALPHV, Play has avoided significant disruption through operational security practices including binary recompilation for each attack (FBI/CISA, 2025).

Technical Analysis

Attack Methodology

Play employs a multi-stage attack chain documented across numerous incidents (FBI, 2025):

Initial Access: The group exploits known vulnerabilities in internet-facing systems, particularly:

  • FortiOS SSL VPN (CVE-2018-13379, CVE-2020-12812)

  • Microsoft Exchange ProxyNotShell (CVE-2022-41040, CVE-2022-41082)

  • SimpleHelp RMM (CVE-2024-57726 through CVE-2024-57728)

  • Windows CLFS driver zero-day (CVE-2025-29824) (Symantec, 2025)

Reconnaissance: Play operators utilize both legitimate and custom tools for network mapping. Standard tools include AdFind for Active Directory enumeration and BloodHound for privilege escalation path analysis. The group's custom tool "Grixba" (SHA256: 75B525B2...819F54A) performs comprehensive asset discovery including hostname resolution, share enumeration, and security software detection (FBI, 2025).

Persistence and Defense Evasion: Additional tools in Play's arsenal include PowerTool, SystemBCRAT, Plink, and AnyDesk for maintaining access and disabling security controls (FBI, 2025).

Encryption Mechanism

Play implements "intermittent encryption," a technique that encrypts specific file segments rather than entire files (FBI, 2025). The encryption algorithm targets 0x100000 byte chunks at calculated intervals:

  • Files <1GB: 2 chunks encrypted

  • Files 1-10GB: 3 chunks encrypted

  • Files >10GB: 5 chunks encrypted

This approach reduces encryption time by approximately 80% while evading behavioral detection systems monitoring for continuous file modification patterns (Coveware, 2024). The ransomware uses AES-256 encryption with RSA-2048/4096 key protection, appending ".PLAY" extensions to encrypted files.

Infrastructure and Communication

Play operates without traditional Tor-based infrastructure, instead using unique email addresses per victim hosted at German providers (@gmx.de, @web.de) (FBI, 2025). Ransom notes are typically placed in C:\Users\Public\Music\ or drive roots as "ReadMe.txt" or "PLAY_Readme.txt" files.

Nation-State Collaboration

Palo Alto Networks' Unit 42 documented collaboration between Play and Jumpy Pisces (Andariel), a North Korean state-sponsored group, between May and September 2024 (Unit 42, 2024). This partnership provides Play with:

  • Access to state-developed exploits

  • Enhanced operational security

  • Initial access capabilities through Sliver C2 and DTrack malware

The FBI characterized this as a "watershed moment in the ransomware ecosystem," representing documented convergence of criminal and state-sponsored operations (FBI, 2025). This trend expanded in March 2025 when Moonstone Sleet, another North Korean group, deployed Qilin ransomware (Microsoft, 2025).

Economic Impact

Play's ransom demands typically range from $150,000 to $250,000, with approximately 30% of victims paying (FBI, 2025). This pricing remains below the Q1 2025 industry average of $663,582 (BlackFog, 2025), suggesting a volume-based strategy.

Total incident costs significantly exceed ransom amounts. Microchip Technology reported $21.4 million in breach-related expenses following their August 2024 incident (SEC, 2024). Dallas County's October 2023 breach exposed 200,000 individuals' records, resulting in notification costs, credit monitoring, and legal expenses (Dallas County, 2024).

Victim Profile

Geographic analysis shows 48% of Play victims located in the United States, followed by Canada, United Kingdom, and Germany (FBI, 2025). The group avoids targeting Russia and CIS nations, consistent with Eastern European cybercriminal operations.

Sector targeting demonstrates preference for:

  • Manufacturing (30%)

  • Healthcare (20%)

  • Information Technology (15%)

  • Government (15%)

  • Education (10%)

  • Other sectors (10%)

Notable 2024-2025 victims include Krispy Kreme, Microchip Technology, multiple U.S. municipalities, and healthcare facilities (FBI, 2025; SEC filings, 2024-2025).

Defensive Recommendations

Immediate Actions (0-30 Days)

  1. Patch critical vulnerabilities, prioritizing CVE-2024-57727 and CVE-2025-29824

  2. Implement FIDO2 authentication for administrative access

  3. Verify offline backup integrity and test restoration procedures

  4. Configure EDR for intermittent encryption detection

Strategic Initiatives (30-90 Days)

  1. Deploy network microsegmentation

  2. Conduct threat hunts for persistence mechanisms

  3. Develop Play-specific incident response procedures

  4. Train staff on voice-based social engineering tactics

Long-Term Measures (90+ Days)

  1. Implement ML-based behavioral detection systems

  2. Review cyber insurance for nation-state attack coverage

  3. Participate in sector-specific Information Sharing and Analysis Centers (ISACs)

  4. Execute purple team exercises simulating Play tactics, techniques, and procedures (TTPs)

Indicators of Compromise

File Indicators:

  • Extension: .PLAY

  • Ransom notes: ReadMe.txt, PLAY_Readme.txt

  • Tools: Grixba (Gt_net.exe), HRsword.exe, PowerTool.exe, SystemBCRAT

Network Indicators:

  • Email domains: @gmx.de, @web.de

  • Anomalous RDP/VPN authentication patterns

  • Data exfiltration exceeding 100MB to unknown destinations

MITRE ATT&CK Mapping:

  • Initial Access: T1078, T1190

  • Privilege Escalation: T1068, T1003

  • Defense Evasion: T1562.001, T1070.001

  • Impact: T1486, T1490

Conclusion

Play ransomware represents a sophisticated threat requiring comprehensive defensive strategies. The group's technical innovations, operational discipline, and state-sponsored partnerships necessitate advanced detection capabilities and robust incident response planning. Organizations should prioritize vulnerability management, implement behavioral detection systems, and prepare for multi-vector extortion attempts including voice-based harassment.

Stay safe, stay secure.

The CybersecurityHQ Team

Reply

or to participate.