Play Ransomware
What is Play Ransomware?
Play RansomwareA double-extortion ransomware group, also known as PlayCrypt, active since mid-2022 and notable for exploiting Microsoft Exchange and Fortinet vulnerabilities.
Play, also tracked as PlayCrypt, surfaced in June 2022 and became one of the most active ransomware groups against North American and European organizations. It rose to attention in late 2022 by hitting the city of Antwerp and the Argentine judiciary of Cordoba. CISA, the FBI, and Australia's ASD ACSC issued joint advisory AA23-352A in December 2023 and updated it in 2024, attributing more than 300 known incidents to Play. The group leverages Fortinet FortiOS flaws (CVE-2018-13379, CVE-2020-12812), Exchange ProxyNotShell (CVE-2022-41040 and CVE-2022-41082), and stolen VPN credentials. Files are encrypted with AES-RSA and renamed with a .play extension; victims must contact attackers via email rather than a Tor portal.
● Examples
- 01
December 2022 attack on the city of Antwerp's IT systems by Play.
- 02
Joint CISA/FBI/ACSC advisory AA23-352A documenting 300+ Play incidents through 2023.
● Frequently asked questions
What is Play Ransomware?
A double-extortion ransomware group, also known as PlayCrypt, active since mid-2022 and notable for exploiting Microsoft Exchange and Fortinet vulnerabilities. It belongs to the Malware category of cybersecurity.
What does Play Ransomware mean?
A double-extortion ransomware group, also known as PlayCrypt, active since mid-2022 and notable for exploiting Microsoft Exchange and Fortinet vulnerabilities.
How does Play Ransomware work?
Play, also tracked as PlayCrypt, surfaced in June 2022 and became one of the most active ransomware groups against North American and European organizations. It rose to attention in late 2022 by hitting the city of Antwerp and the Argentine judiciary of Cordoba. CISA, the FBI, and Australia's ASD ACSC issued joint advisory AA23-352A in December 2023 and updated it in 2024, attributing more than 300 known incidents to Play. The group leverages Fortinet FortiOS flaws (CVE-2018-13379, CVE-2020-12812), Exchange ProxyNotShell (CVE-2022-41040 and CVE-2022-41082), and stolen VPN credentials. Files are encrypted with AES-RSA and renamed with a .play extension; victims must contact attackers via email rather than a Tor portal.
How do you defend against Play Ransomware?
Defences for Play Ransomware typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Play Ransomware?
Common alternative names include: PlayCrypt, Play Group.
● Related terms
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- malware№ 902
Ransomware-as-a-Service (RaaS)
A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds.