Play Ransomware
Recovery Services
Alvaka’s Play Ransomware Recovery Services are designed to protect your company’s systems from Ransomware and help you recovery when necessary.
Learn more
Stop being a victim of Ransomware and take action today!
What is Play Ransomware?
Play ransomware, aka PlayCrypt, first emerged in June 2022 and since then this ransomware variant has compromised over 500 organizations and though there isn’t a confirmed total amount, many estimate the group has extorted millions in ransom payments. There is limited data on Play as they are a newer variant and operate more discreetly compared to other ransomware groups. The name “Play” comes from the .play extension that is added to files once they are encrypted by this ransomware variant. This group specializes in multi-extortion, encrypting the data of target organizations while also threatening to post it on their public TOR-based sites.
Initially, Play wasn’t available as Ransomware-as-a-Service. However, within a year, the group shifted gears and started selling their “ransomware kits” to other cybercriminals, officially establishing Play as a RaaS operation.
Although the exact amount of ransom demands remains undisclosed and is not publicly documented, resources indicate that Play targets a range of sectors within critical infrastructure to extort significant sums of money. The attackers primarily target sectors such as healthcare, education, manufacturing, real estate, and finance. Researchers estimate that the average ransom demand is approximately $2.2 million.
How Does Play Ransomware Operate?
Evidence suggests a potential connection between Play ransomware and several ransomware families. It shares tactics and tools with Hive and Nokoyawa ransomware. There are also significant resemblances between Play and Quantum ransomware, most notably their infrastructure, which is derived from Conti.
Play actors employ the double extortion method and target MSPs globally. They usually exploit RDP vulnerabilities and utilize a tool called Mimikatz to induce privilege escalation. A privilege escalation attack is a type of network attack that aims to extract high privilege credentials in order to gain high-level access within an entity’s security system. They disable any anti-malware programs and once inside a system, move laterally to avoid being caught.
Play doesn’t include an initial ransom demand or instructions in the ransom notes. Instead, victims are instructed to communicate with the threat actors via email. Experts implore victims to NOT pay the ransom. Paying the ransom does not guarantee that victims will get their information/data back.
How Can You Protect Your Company Against Play Ransomware?
It is recommended organizations seek professional help to recover data and remove the ransomware from network systems. Organizations can also report the attack to law enforcement.
- Establish strong credential management and multi-factor authentication
- Monitor network traffic and look for IOCs
- Use tools such as anti-malware software
- Patch and update all systems regularly. Conduct security audits regularly to look for vulnerabilities
- Educate and train employees on cybersecurity practices
- Set up multiple system backups and implement a recovery plan (BDR processes). Apply the 3-2-1 backup strategy
Ransomware ID Tool: Check what variant is encrypting your files
CISA- #StopRansomware: Play Ransomware
TrendMicro Ransomware Spotlight