Play Ransomware Group Targets Six Prominent Companies

Estimated read time 2 min read

The notorious Play Ransomware Group has shifted its sights from its primary Latin American targets to firms in the U.S. and Germany.

Recently, the group listed six businesses on their data leakage site on the Tor network, hinting at potential data breach incidents.

Companies Under Threat

The following companies have been listed:



The Rise of Play Ransomware Group

Tracing back to June 22, 2022, the Play Ransomware’s presence first emerged on a BleepingComputer forum. An individual claimed their files were encrypted with a unique “.play” extension. Shortly after, Trend Micro shed light on this ransomware variant, revealing a focus on the Latin American region, especially Brazil.

Despite appearing as a new entrant in the ransomware arena, their tactics, techniques, and procedures (TTPs) resonate with established ransomware families like Hive and Nokayawa. A notable similarity is their reliance on AdFind, a command-line tool adept at gleaning Active Directory information.

Modus Operandi

The group typically employs a multi-pronged attack strategy:

  1. They exploit a known valid account, vulnerable RDP servers, and specifically target the FortiOS vulnerabilities CVE-2018-13379 and CVE-2020-12812 for initial access.
  2. Following a successful breach, they employ “lolbins” binaries, mirroring the approach of other ransomware groups.
  3. They distribute malicious executables within the network using Group Policy Objects, subsequently running scheduled tasks, PsExec, or wmic.
  4. Their final move involves encrypting files, marking them with their signature “.play” extension.

Play Ransomware DLS site

The Play Ransomware operates their DLS site on the TOR network. It currently uses the following address:


Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author