Play Ransomware Closed Operations Model
Profile of Play ransomware closed affiliate model targeting enterprises and government.
Continue your mission
Profile of Play ransomware closed affiliate model targeting enterprises and government.
Play ransomware, also tracked as PlayCrypt, represents one of the most operationally disciplined ransomware groups active since its emergence in June 2022. Unlike open affiliate programs that recruit broadly and tolerate inconsistent tradecraft, Play operates under a closed model in which a vetted core team controls both development and intrusion operations. This structure produces tighter operational security, consistent tooling, and more predictable attack patterns than groups running open Ransomware-as-a-Service (RaaS) programs. The FBI, CISA, and the Australian Signals Directorate's Australian Cyber Security Centre (ASD ACSC) issued a joint advisory in December 2023 documenting Play's methods, confirming its status as a significant threat to critical infrastructure, government entities, and large enterprises across multiple continents.
---
Play ransomware is a double-extortion ransomware strain operated by a closed, likely private group that encrypts victim data and threatens public release on a dedicated leak site to pressure payment. The "closed operations model" refers specifically to the group's decision to restrict participation to a controlled team rather than licensing its malware to outside affiliates through a public RaaS program. This is a meaningful operational distinction.
In an open RaaS model (as seen with LockBit or BlackCat/ALPHV), the ransomware developers recruit affiliates externally, share tooling widely, and earn a percentage of ransom payments. Quality control is low; affiliates vary in skill and discipline. Play's closed model concentrates expertise, standardizes tooling, and reduces the operational noise that exposes open RaaS groups to infiltration, law enforcement informants, and inconsistent intrusion behavior.
Play is not a wiper. It does not destroy data without offering a decryption path. It is not a commodity crimeware tool sold on underground forums for casual use. It should not be confused with open RaaS families that license a builder and panel to any paying customer.
Play produces two primary variants: a Windows variant targeting domain-joined enterprise environments, and a Linux variant specifically engineered to encrypt VMware ESXi hypervisors. The ESXi variant is significant because it allows a single execution to shut down and encrypt multiple virtual machines simultaneously, multiplying operational disruption without requiring per-host intrusion work. Both variants use RSA combined with AES encryption, applying intermittent encryption (encrypting portions of files rather than full content) to increase encryption speed while still rendering files unusable. Encrypted files receive the ".play" extension. Ransom notes are deliberately minimal, containing only a contact email address and no stated ransom amount, requiring victims to initiate negotiation directly.
---
Play's attack chain is methodical and follows a consistent pattern across documented incidents. Understanding each phase in operational detail is essential for defenders building detection coverage.
Initial Access
Play consistently enters environments through known, unpatched vulnerabilities in internet-facing systems. Documented initial access vectors include:
The group does not rely on phishing as a primary vector. This is operationally relevant: Play's initial access pattern is almost entirely dependent on unpatched perimeter infrastructure, which means a well-maintained patch program directly reduces exposure to this group's primary entry method.
Discovery and Enumeration
Following initial access, Play operators conduct structured network and Active Directory reconnaissance before touching any encryption or exfiltration tooling. Observed tools include:
This reconnaissance phase can extend across multiple days or weeks in large environments. The group is patient. Operators map the environment fully before advancing to credential access and lateral movement.
Credential Access and Lateral Movement
Play operators harvest credentials using common post-exploitation techniques including LSASS memory dumping and extraction of credentials from browser stores and configuration files. Lateral movement proceeds through standard Windows protocols: SMB, WMI, and RDP. The group has been observed using Cobalt Strike beacon implants as their primary command-and-control framework, though they also use custom tooling to reduce signature-based detection.
Data Staging and Exfiltration
Before encryption, Play exfiltrates sensitive data to operator-controlled infrastructure. Observed tools for this phase include WinSCP and Rclone, both legitimate file transfer utilities that blend into administrative traffic on networks where they are already present. The group also uses a custom VSS Copying Tool to access Volume Shadow Copy files, allowing them to retrieve data from shadow copies without triggering standard file access alerts. This data becomes the extortion asset: Pay or the data is published to the Play leak site.
Encryption Execution
Once exfiltration is complete, Play deploys its encryptor. The ESXi variant shuts down running virtual machines using ESXi management commands before encrypting VMDK files, ensuring maximum impact with minimum runtime. The Windows variant targets mapped drives, network shares, and local volumes. Intermittent encryption writes only partial file content, making encryption faster and harder to detect through write-volume heuristics that rely on detecting high volumes of file modification events. The result is a .play extension appended to affected files and a minimal ransom note placed in affected directories.
Scenario: City of Oakland
In early 2023, the City of Oakland, California declared a local state of emergency following a Play ransomware attack. The group accessed city systems through a known vulnerability, conducted internal reconnaissance across the network, exfiltrated sensitive data including personally identifiable information (PII) for city employees, and encrypted systems across multiple departments. City services including non-emergency police functions, permitting, and financial systems were disrupted for weeks. Play subsequently published exfiltrated data on its leak site after negotiations broke down. The incident illustrated how a single exploited perimeter vulnerability cascades into months of recovery effort for a public-sector organization with limited cybersecurity staffing.
---
The Play ransomware group demonstrates that a small, disciplined team operating a closed model can produce consistent, high-impact intrusions at scale. The operational maturity of the group creates several specific risks that organizations frequently underestimate.
Prolonged Dwell Time
Because Play does not rush toward encryption, defenders relying on endpoint detection rules tuned to detect ransomware activity at the encryption phase will miss the group during its longest and most consequential phase: reconnaissance, credential harvesting, and data exfiltration. By the time encryption executes, the group has already accomplished its primary extortion goal. Defenders who measure success by stopping encryption have already lost the data.
Double Extortion Compounds Harm
Many organizations assume that functional backups eliminate ransomware risk. With Play, backups do not address the data exfiltration component. Even an organization that restores systems within 48 hours from clean backups faces the prospect of sensitive employee data, customer records, or proprietary information being published publicly. The City of Oakland experienced this directly: city data was published despite the city's public statements about its recovery posture.
The Closed Model Reduces Intelligence Availability
Open RaaS groups generate substantial threat intelligence through affiliate leaks, law enforcement infiltrations, and the inevitable chatter of a large criminal network. Play's closed model produces less public intelligence, making it harder for threat intelligence teams to anticipate operational changes or obtain decryption keys from defecting affiliates. This is a structural advantage for the attacker.
Common Misconception: Patching Is Sufficient
Organizations sometimes treat patching as a complete defense against Play. Patching internet-facing systems is the highest-leverage single control, but it is not sufficient alone. The group has demonstrated willingness to return to previously compromised environments months after initial access, using persistence mechanisms established before a vulnerability was patched. Organizations that patch without conducting a full compromise assessment may be patching the door while the group is already inside.
Broader Consequence for Critical Infrastructure
Play's targeting of government agencies, healthcare organizations, and managed service providers creates cascading risk. When Rackspace suffered a Play-attributed incident in late 2022, the impact extended to Rackspace's customers, not only Rackspace itself. Supply chain and managed service exposure means that Play's targeting of a single organization can affect hundreds of dependent entities.
---
CDA approaches the Play ransomware threat through the Planetary Defense Model (PDM), specifically through two intersecting domains: Threat Intelligence Domain (TID) and Vulnerability Surface Domain (VSD). The governing methodology is Predictive Defense Intelligence (PDI), summarized operationally as "See the threat before it sees you."
Play's operational pattern is highly consistent across documented incidents. This consistency is both a product of the closed model and an analytical asset: consistent tradecraft produces reliable detection signatures, behavioral patterns, and vulnerability dependencies that defenders can act on before an intrusion occurs rather than after.
TID Application
CDA's TID mission generates structured threat profiles for active ransomware groups, including Play. This includes mapping the group's documented TTPs to MITRE ATT&CK framework techniques (Initial Access: T1190 Exploit Public-Facing Application; Discovery: T1087 Account Discovery; Exfiltration: T1048 Exfiltration Over Alternative Protocol; Impact: T1486 Data Encrypted for Impact). TID analysts maintain current awareness of Play's vulnerability targeting, updating the group's known initial access vectors as new CVEs emerge and assessing whether the group has demonstrated capability against newly disclosed vulnerabilities before patches are widely applied.
VSD Application
CDA's VSD missions VSD-R01 through VSD-R06 address the specific vulnerability classes Play exploits. VSD-R01 through VSD-R03 prioritize continuous external attack surface monitoring, ensuring that internet-facing FortiOS, Exchange, and Citrix deployments are identified, inventoried, and tracked against known Play-relevant CVEs. VSD-R04 addresses RDP exposure, mapping which systems expose RDP to the internet or to poorly segmented internal networks. VSD-R05 and VSD-R06 address remediation prioritization and verification, ensuring that patching efforts translate into confirmed closure of the attack surface rather than paper compliance.
What CDA Does Differently
CDA does not treat threat intelligence and vulnerability management as separate functions that exchange reports. The PDI methodology integrates TID threat actor profiles directly into VSD prioritization decisions. When Play's group profile indicates active exploitation of a specific CVE, that CVE receives immediate escalation in VSD-R01 scanning queues regardless of its CVSS base score. This threat-actor-informed prioritization is operationally distinct from score-based patching programs that address high-CVSS findings without regard for whether active threat actors are exploiting them.
---
---
---
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by CDA Editorial
Found an issue? Help improve this article.