Play (aka PlayCrypt) — Ransomware Threat Analysis & Defender Playbook Prepared by CyberDudeBivash Threat Intelligence — updated Aug 31, 2025

 

Executive summary

Play is a closed ransomware crew (double-extortion) active since 2022 and among the most active actors through 2024–2025. A June 4, 2025 joint CISA/FBI/ACSC update put the victim count at ~900 organizations (as of May 2025) and documented fresh TTPs, including exploitation of the SimpleHelp RMM vulnerability (CVE-2024-57727) by actors tied to Play. CISA

---

How Play breaks in (Initial access — ATT&CK TA0001)

• Known-vuln exploitation of internet-facing apps, especially FortiOS (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange ProxyNotShell (CVE-2022-41040, CVE-2022-41082). External RDP/VPN are also abused when exposed or weakly protected. CISA

• 2025 pivot: initial-access brokers linked to Play mass-exploited SimpleHelp RMM (CVE-2024-57727) for RCE after Jan 16, 2025 disclosure; CISA later issued a separate advisory on widespread ransomware abuse of this flaw. Patch or isolate versions ≤ 5.5.7. CISA+1

---

Tooling & tradecraft (Execution/Lateral, Discovery/Evasion)

• Red-teamware & tunnels: Cobalt Strike, SystemBC, PsExec; distribution via GPO once domain-wide access is achieved. Mimikatz and credential searches follow initial foothold. WinPEAS often appears in post-exploitation discovery. CISA

• Recon & AV tamper: AdFind for AD queries; Grixba (custom .NET infostealer) for network/software inventory and AV scanning; GMER/IOBit/PowerTool to disable security tools and clear logs. CISA

• Pressure ops: victims get unique contact emails (@gmx.de / @web.de) and often phone calls to staff/help desks to coerce payment. CISA

• Grixba/VSS copy lineage: independent research previously documented Play’s Grixba and a shadow-copy data-theft tool—useful context for spotting older tradecraft in your telemetry. BleepingComputer

---

Data theft & crypto (Exfiltration/Impact)

• Exfil path: data split and archived with WinRAR (.rar), then shipped via WinSCP to actor-controlled infra (Tor-hosted leak site for shaming if unpaid). CISA

• Encryption details: AES+RSA hybrid with intermittent encryption (every other 0x100000-byte chunk), adds .PLAY extension, and drops ReadMe.txt (commonly in C:\Users\Public\Music\). CISA

• ESXi/Linux variant: powers off VMs, targets VM-related files (.vmdk, .vmem, etc.), writes PLAY_Readme.txt and even sets the ESXi welcome banner to the ransom note. CISA

---

Hunting cues you can deploy today (behavior > hashes)

• Edge & RMM: spikes of HTTP(S) requests to SimpleHelp endpoints on vulnerable builds; sudden RDP/VPN logons from new geos/ASNs; Exchange servers showing ProxyNotShell/OWASSRF-style artifacts. CISAMicrosoft

• Post-exploitation combo: AdFind → WinPEAS → Cobalt Strike/SystemBC beacons → PsExec bursts → WinRAR + WinSCP egress. CISA

• Play artifacts (Windows): creation of ReadMe.txt, high-volume rename/write bursts, intermittent encryption patterns, and activity under C:\Users\Public\Music\. CISA

• ESXi telemetry: vim-cmd enumeration and mass VM power-off followed by access to /vmfs/volumes/; welcome banner changed to ransom text. CISA

---

High-impact mitigations (that actually cut risk)

1. Patch the edge first: FortiOS KEVs, Exchange ProxyNotShell, and SimpleHelp CVE-2024-57727; if you ever ran ≤5.5.7, assume compromise and rotate creds used there. CISA+1

2. Phishing-resistant MFA (FIDO2/WebAuthn) on VPN/RDP/help-desk; disable clientless VPN modes unless mandated. CISA

3. RMM/Tunnel control: inventory and default-deny unapproved RMM; alert on first-use PsExec, SystemBC detections, and Plink SSH tunnels. CISA

4. Exfil choke points: block/inspect SFTP/WinSCP from servers; DLP/egress rules for RAR exfil; Tor egress blocking. CISA

5. Resilience: immutable/offline backups, cross-domain replication, and tested restores; practice double-extortion comms table-tops. CISA

---

Rapid response playbook (print-friendly)

1. Contain: isolate suspected hosts; disable suspicious VPN/RDP sessions; geofence edge; temporarily block WinSCP/Tor egress.

2. Preserve: snapshot servers/VMs; pull AD, Exchange, VPN, SimpleHelp, and EDR logs; mirror any exfil endpoints.

3. Hunt: look for AdFind/WinPEAS, SystemBC/Cobalt Strike, PsExec GPO pushes, ReadMe.txt + .PLAY, WinRAR→WinSCP sequences. CISA

4. Eradicate: patch KEVs; remove persistence (new admins, scheduled tasks, services); rotate creds (domain, VPN, service).

5. Recover & notify: staged restore, extra egress controls; coordinate legal/PR; report to FBI/CISA per sector requirements. CISA

---

What’s new in 2025 (why this matters)

• The SimpleHelp exploitation wave materially lowered the bar for intrusions and supply-chain style access into downstream customers; it remains in the CISA KEV and demands priority patching/segmentation. CISA

• Play’s scale (≈900 victims) and phone-pressure tactics increase legal/compliance exposure even when encryption is contained. CISA

---

Sources / further reading

• CISA/FBI/ACSC #StopRansomware: Play (updated Jun 4, 2025) — TTPs, tools, IOCs, ESXi YARA, ~900 victims. CISA+1

• CISA AA25-163A (Jun 12, 2025) — Ransomware exploiting SimpleHelp CVE-2024-57727 at scale. CISA

• Microsoft / CrowdStrike — Exchange ProxyNotShell/OWASSRF exploitation background. Microsoft

• Trend Micro & BleepingComputer — SystemBC/Grixba, custom data-gathering & VSS tools. Trend MicroBleepingComputer

---

#CyberDudeBivash #PlayRansomware #PlayCrypt #Ransomware #DoubleExtortion #SimpleHelp #ProxyNotShell #Fortinet #ESXi #MITREATTACK #DFIR #XDR #ThreatIntel