Skip to content
Ransomware group

PLAY

Play ransomware, also referred to as PlayCrypt and play_ransomware, is a ransomware-as-a-service (RaaS) operation first spotted at the end of June 2022.

Profile source: Mallory opens in a new tab

PLAY

Family profile

Play ransomware, also referred to as PlayCrypt and play_ransomware, is a ransomware-as-a-service (RaaS) operation first spotted at the end of June 2022. It was named for the .play file extension and the word “PLAY” in its ransom note email. The malware is associated with double-extortion activity, with operators stealing data and threatening public release in addition to encrypting systems. The content describes Play as an active, high-volume ransomware threat that has impacted roughly 900 organizations by May 2025 according to cited FBI reporting, and as one of the top ransomware threats to critical infrastructure.

Play targets enterprise environments across multiple sectors, with explicit references to healthcare, manufacturing, and critical infrastructure victims. The American Hospital Association warned of rising double-extortion threats involving the Play group, and the content specifically notes impacts to hospitals and healthcare organizations. Publicly referenced victim activity includes the French Rugby Federation before the 2023 Rugby World Cup, Swiss government data exposure via supplier Xplain in 2023, Microchip Technology in 2024, and MyPillow in 2025. The victim tracking content shows a strong concentration in the United States, with additional victims across Canada, Europe, Asia-Pacific, Africa, Latin America, and the Caribbean.

The malware and its operators are described as using rapid post-compromise deployment compared with many peers. Reported tradecraft includes exploitation of public-facing applications, use of valid accounts, scheduled tasks, PowerShell, credential dumping including LSASS memory and NTDS theft, discovery of network services and security software, lateral movement via RDP and SMB/Windows Admin Shares, lateral tool transfer, data archiving, exfiltration over alternative protocols, remote access software for command and control, clearing Windows event logs, stopping services, inhibiting system recovery, disabling or modifying security tools, and encrypting data for impact. Huntress reporting cited in the content states that Play often deploys ransomware quickly and averages fewer than 10 actions before encryption in observed incidents.

Play has also been linked to defense evasion and recovery inhibition behaviors. The content states that PlayCrypt can use AlphaVSS to delete shadow copies, and ATT&CK-style mappings associate PlayCrypt with data encryption for impact, file and directory discovery, and inhibiting system recovery. Additional reporting says Play operators have used legitimate but vulnerable drivers to terminate EDR products. Splunk detection content also associates Play with use of wevtutil-style log disabling behavior.

The content further states that Play has exploited the Windows Common Log File System vulnerability CVE-2025-29824, and that multiple reports observed abuse of this flaw by Play-associated attackers before patching. Play is also listed among ransomware programs associated with Muddled Libra/Scattered Spider partnerships, though the content only states association rather than exclusive operational control.

A Linux/ESXi-focused variant is described in SentinelLABS reporting as the first known Linux version of Play ransomware. That sample referenced the .FinDom extension and the ransom email address findomswitch@fastmail.pw, artifacts associated with Play, and was assessed as Babuk-derived. The sample reportedly used the same file-searching functionality as baseline Babuk and Sosemanuk for encryption. The Play ESXi sample SHA1 is dc8b9bc46f1d23779d3835f2b3648c21f4cf6151, and the related archive SHA1 is 9290478cda302b9535702af3a1dada25818ad9ce. The archive reportedly contained AnyDesk, NetCat, a privilege-escalation batch file, and encoded PowerShell Empire scripts.

The content also states that Play uses intermittent encryption based on file size and encrypts chunks of 0x100000 bytes. Known artifacts and indicators mentioned in the content include the .play and .FinDom extensions, the ransom email findomswitch@fastmail.pw, email IOCs derdiarikucisv@gmx.de and raniyumiamrm@gmx.de, and a YARA artifact named Play.yar.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • HandleKatz
  • Mimikatz
  • Nanodump

Defense Evasion

  • EDRKill (echo_driver.sys + DBUtil 2.3)
  • GMER
  • IOBit
  • PowerTool
  • icardagt.exe (version.dll DLL sideload)

Discovery Enum

  • AdFind
  • WKTools

Exfiltration

  • WinSCP

LOLBAS

  • PsExec

Networking

  • FRP
  • Plink

Offsec

  • Cobalt Strike
  • WinPEAS

Ransomware.live

Recent claims

All published claims ↗

Reported operators

Threat actors

9 named in public reporting
Scattered Spider

These RaaS programs include: Akira (Howling Scorpius) ALPHV (Ambitious Scorpius) DragonForce (Slippery Scorpius) Play (Fiddling Scorpius) Qilin (Spikey Scorpius) RansomHub (Spoiled Scorpius)

Fiddling Scorpius

These RaaS programs include: Akira (Howling Scorpius) ALPHV (Ambitious Scorpius) DragonForce (Slippery Scorpius) Play (Fiddling Scorpius) Qilin (Spikey Scorpius) RansomHub (Spoiled Scorpius)

Lazarus

MyPillow, the US-based bedding brand founded by election conspiracy theorist Mike Lindell, has been listed by Play ransomware extortionists as an alleged victim.

Play

"...Super Quik had multiple internal files and surveillance video footage exposed by the Play ransomware operation, which claimed to have exfiltrated a 5.5 GB dataset from its systems."

Prolific Puma

Play (AKA PlayCrypt) ransomware is a private ransomware operation that has been active since, at least, June 2022. The group operates in a double extortion method, where the victim data is stolen and leaked via a data leak site if the ransom demand is not paid.

Andariel

Play (AKA PlayCrypt) ransomware is a private ransomware operation that has been active since, at least, June 2022. The group operates in a double extortion method, where the victim data is stolen and leaked via a data leak site if the ransom demand is not paid.

QuadSwitcher

Play (AKA PlayCrypt) ransomware is a private ransomware operation that has been active since, at least, June 2022. The group operates in a double extortion method, where the victim data is stolen and leaked via a data leak site if the ransom demand is not paid.

RansomEXX

Symantec said it had found evidence of Balloonfly, the operator of Play ransomware, also exploiting CVE-2025-29824 against a US-based organization before Microsoft patched it.

Contagious Interview

North Korea has long been involved in ransomware attacks and has been previously associated with the Maui and Play ransomware families.

Exploited software

Vulnerabilities linked to PLAY

10 CVEs

MITRE ATT&CK

PLAY in ATT&CK

39 distinct techniques

Reporting

Research mentioning PLAY

Jun 6
Cysecurity News

MyPillow Hit by Ransomware Attack as Cyber Threats Intensify - CySecurity News - Latest Information Security and Hacking Incidents

As a result of the unauthorized access to a broad range of sensitive corporate and personal records, identified as Play, the threat actor claims that payroll data, financial information, tax information, identification information, and internal business files have been exfiltrated.

May 28
Palo Alto Networks Unit 42

2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface

Rugby World Cup, France 2023 Fiddling Scorpius, distributors of Play ransomware ... French Rugby Federation systems encrypted three months before kickoff; Personally identifiable information (PII) exfiltrated.

May 26
Register Security

MyPillow appears on Play ransomware leak site

MyPillow, the US-based bedding brand founded by election conspiracy theorist Mike Lindell, has been listed by Play ransomware extortionists as an alleged victim.

May 25
Ransomware Live

Ransomware.live: play

Play [[URL_3454fe3e_35]] Discovered: 2026-05-19 (5d ago) United States…

May 11
Checkpoint Research

The State of Ransomware - Q1 2026 - Check Point Research

Play posted a 64% increase, going from 74 victims to 121.

Apr 24
Detect

Analyzing GLOBAL GROUP (BlackLock) Artifacts | by SIMKRA | Apr, 2026 | Detect FYI

Other prolific actors like LockBit 5.0, DragonForce, Qilin, Play, Medusa, and The Gentlemen follow nearly identical ESXi and AD playbooks, differing mainly in initial access like phishing LNKs versus IAB credentials and encryptor language like Go versus Rust.

Apr 8
Hipaa Journal

2025 Losses to Cybercrime Exceeded $20 Billion

The biggest ransomware threats in terms of complaint volume were Akira, Qilin, INC Ransom/Lynx/Sinobi, BianLian, and Play.

Mar 16
Cyberscoop

The ransomware economy is shifting toward straight-up data extortion | CyberScoop

The most prominent ransomware families in 2025 included Agenda, Redbike, Clop, Playcrypt, Safepay, Inc, RansomHub and Fireflame, according to Google. The most active ransomware brands last year included Qilin, Akira, Clop, Play, Safepay, Inc, Lynx, RansomHub, DragonForce and Sinobi.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.