Play, sometimes written PlayCrypt, has been one of the most consistently active ransomware operations of the past three years, despite running a smaller and more deliberately closed program than rivals like LockBit, BlackCat, or RansomHub. The operation is best understood as a counter-example to the open-recruitment RaaS model: same outcomes, very different organisational philosophy, and a track record that has made it a top-five operator in many quarterly tracking reports through 2024 and into 2025.
Origins
Play first appeared in mid-2022. The brand’s name comes from the ".play" file extension appended to encrypted files and the simple, single-word ransom note ("PLAY") dropped in encrypted directories. The leak site is similarly minimalist, far more austere than the elaborate panels run by BlackCat or LockBit.
Researchers and Western law-enforcement advisories have not made a definitive lineage claim, but Play’s TTPs, code patterns, and target preferences have led to overlap analysis with several Conti-adjacent operators. Some affiliates appear to have rotated in from earlier brands; others appear to be a smaller, longer-tenured set of operators working closely with the core team.
The closed-shop model
Where most major ransomware operations run open affiliate programs and recruit publicly, Play does not. There is no obvious advertising on Russian-language forums; there is no Tor-based affiliate panel that researchers have publicly mapped; payment splits are not advertised. CISA, FBI, and ASD’s ACSC joint advisories have characterised Play’s model as "closed group" rather than RaaS.
The implication is that Play is run by a smaller, tighter team, with deliberate vetting of the affiliates who get access to the locker. That model has trade-offs. The talent pool is smaller, but it is also harder for researchers and law enforcement to penetrate, since infiltration of an open recruitment channel is one of the standard moves against RaaS programs. It is plausibly part of why Play has avoided the kind of high-profile takedown that has hit Hive, LockBit, and BlackCat.
The malware
The Play locker is a competent hybrid AES + RSA design with a Linux/ESXi variant and selective use of intermittent encryption. Some technical signatures across versions:
- AES-256 in CTR mode for file content, with per-file keys wrapped using RSA.
- Custom packers and obfuscation that have evolved repeatedly through 2023 and 2024.
- An ESXi variant deployed widely against virtualised environments.
- A noisy approach to backup and shadow-copy destruction, deleting Volume Shadow Copies, terminating common backup services, and aggressively flushing event logs.
A handful of Play victims have been recovered without payment thanks to operational mistakes by affiliates rather than cryptographic flaws, a reminder that even a competent locker is only as secure as the operators handling its keys.
Initial access
Play has favoured exploitation of Microsoft Exchange (the ProxyNotShell chain), Fortinet SSL VPN, and an interesting series of intrusions through compromised remote-monitoring-and-management (RMM) tools at managed service providers. Several victims of Play attacks have been MSPs themselves, with downstream impact on dozens of customer environments, a parallel to the broader trend of supply-chain compromise as force-multiplier.
Other observed initial-access vectors:
- Compromised credentials sourced from initial-access brokers.
- Phishing with malicious LNK shortcuts and ISO containers.
- Exploitation of older but still-unpatched vulnerabilities in edge devices.
TTPs
Play intrusions tend to follow a recognisable pattern:
- Establish foothold via VPN or exposed RDP, typically with valid credentials.
- Deploy SystemBC and AdFind for command-and-control and Active Directory enumeration.
- Use Cobalt Strike and Empire for hands-on-keyboard movement.
- Disable security tooling using GMER, IObit Unlocker, and PowerTool.
- Exfiltrate data using WinSCP, WinRAR-staged archives, and cloud-storage uploads.
- Deploy the locker via Group Policy or PsExec, with ESXi often hit first to take down virtualised servers en masse.
The CISA/FBI/ACSC joint advisory from December 2023 documented Play’s TTPs in detail and listed indicators of compromise that have since been used by many defenders to retrospectively identify Play intrusions in their environments.
Notable victims
Play’s victim list is heavy on cities, schools, healthcare, and managed service providers:
- The City of Oakland (February 2023), in an attack that disrupted city services for weeks and led to a state-of-emergency declaration.
- The Government of Argentina’s judicial branch in Cordoba.
- Rackspace (December 2022), in a high-impact compromise of the company’s hosted Exchange environment via ProxyNotShell.
- Krispy Kreme, Microchip Technology, Pirelli, A10 Networks, and a long roster of regional manufacturers.
- Multiple US public school districts and county governments.
Industry tracking through 2024 placed Play among the top three most active operations by quarterly victim count, often jockeying with Akira and RansomHub for second place behind whichever brand happened to be ascendant.
Outlook
Play has not yet been visibly disrupted. Its closed-group model has insulated it from the kinds of affiliate-panel infiltration that ended Hive and weakened LockBit. Its victim cadence has been relatively stable, suggesting a mature operation that does not need to chase volume. Western law-enforcement attention is clearly increasing, the joint advisory and continued public reporting reflect that, but at the time of writing, no public takedown has occurred.
For defenders, Play is a useful reminder that not every major ransomware threat looks like LockBit. Some operations are quieter, smaller, more deliberate, and harder to disrupt precisely because they do not run as franchises. The closed-shop model may well be a template that other operators imitate as the open-RaaS brands continue to attract takedowns.