Operator dossier

Play (also tracked as PlayCrypt) is a ransomware operator currently active on public leak sites. Darkfield has indexed 1,304 public victims claimed by this operator between November 26, 2022 and June 11, 2026. **Overview:** Play (also known as PlayCrypt) is a financially motivated ransomware group that emerged in late 2022, conducting targeted attacks against organizations across multiple sectors with a focus on financial extortion. **Origin & Affiliation:** The group's country of origin remains unclear based on public reporting, though they appear to operate independently rather than as a traditional ransomware-as-a-service model. **Attack Methodology:** Play ransomware operators typically gain initial access through compromised Remote Desktop Protocol (RDP) credentials and exploit valid accounts, then move laterally through networks using tools like Cobalt Strike before deploying their custom ransomware payload. The group employs double extortion tactics, stealing sensitive data before encryption and threatening to publish it on their leak site if ransom demands are not met. **Notable Campaigns:** According to CISA advisories, Play has targeted over 300 entities globally since its emergence, with significant impacts on critical infrastructure sectors including healthcare, education, and government services, though specific ransom amounts and individual victim details vary in public reporting. **Current Status:** Play remains an active threat as of 2024, continuing to target organizations primarily in North America and Europe according to ongoing security researcher observations and law enforcement warnings.

Most-targeted sectors

Manufacturing241 victims
Business Services195 victims
Technology135 victims
Construction86 victims
Transportation/Logistics45 victims
Agriculture and Food Production39 victims

Most-affected countries

United States905 victims
Canada93 victims
United Kingdom41 victims
Germany34 victims
United States17 victims
Sweden15 victims

Recent disclosures by Play

Most recent 150 of 1,304 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Play →

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Play

aka PlayCrypt · 1,304 victims indexed · first seen 4 years ago · last activity 4 days ago

1,304

Victims indexed

#9 of 355 tracked operators

3y 7m

Active period

Nov 2022 → Jun 2026

Countries hit

top United States · 905

At a glance

Status: active
Aliases: PlayCrypt
First seen: 4 years ago
Last activity: 4 days ago
Onion sites: 8 known endpoints
Primary sector: Manufacturing · 241 hits

About

**Overview:** Play (also known as PlayCrypt) is a financially motivated ransomware group that emerged in late 2022, conducting targeted attacks against organizations across multiple sectors with a focus on financial extortion. **Origin & Affiliation:** The group's country of origin remains unclear based on public reporting, though they appear to operate independently rather than as a traditional ransomware-as-a-service model. **Attack Methodology:** Play ransomware operators typically gain initial access through compromised Remote Desktop Protocol (RDP) credentials and exploit valid accounts, then move laterally through networks using tools like Cobalt Strike before deploying their custom ransomware payload. The group employs double extortion tactics, stealing sensitive data before encryption and threatening to publish it on their leak site if ransom demands are not met. **Notable Campaigns:** According to CISA advisories, Play has targeted over 300 entities globally since its emergence, with significant impacts on critical infrastructure sectors including healthcare, education, and government services, though specific ransom amounts and individual victim details vary in public reporting. **Current Status:** Play remains an active threat as of 2024, continuing to target organizations primarily in North America and Europe according to ongoing security researcher observations and law enforcement warnings.

References

4 links

External sources curated by the MISP threat-intel community.

Timeline

24 months

2024-07-01T00:00:00+00:002026-06-01T00:00:00+00:00

Top countries

🇺🇸 United States

905

🇨🇦 Canada

🇬🇧 United Kingdom

🇩🇪 Germany

🇺🇸 United States

🇸🇪 Sweden

🇳🇱 Netherlands

🇨🇭 Switzerland

United States dossier →Canada dossier →United Kingdom dossier →Germany dossier →

Top sectors

Manufacturing

241

Business Services

195

Technology

135

Construction

Transportation/Logistics

Agriculture and Food Production

Energy

Consumer Services

Manufacturing dossier →Business Services dossier →Technology dossier →Construction dossier →

MITRE ATT&CK

5 techniques · 5 tactics

Tactics

Initial AccessExecutionCredential AccessLateral MovementImpact

Techniques

T1133External Remote Services
T1078Valid Accounts
T1059Command and Scripting Interpreter
T1003OS Credential Dumping
T1486Data Encrypted for Impact

Indicators of compromise

CVEs exploited

CVE-2022-41082 CVE-2022-41040 CVE-2018-13379

Known tools

SystemBCCobalt StrikeMimikatzPsExecWinSCP

Detection · YARA rules

1 rule

Play_Ransomware
Detects Play ransomware
source: CISA AA23-352A

Recent victims

Loading…

Onion infrastructure

8 known

http://ipi4tiumgzjsym6pyuzrfqrtwskokxokqannmd6sa24shvr7x5kxdvqd.onion
http://j75o7xvvsm4lpsjhkjvb4wl2q6ajegvabe6oswthuaubbykk4xkzgpid.onion
http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion
http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion/
http://k7kg3jqzffsxe2z53jjx4goybvxu3a557kpsqakpwi6mrvfgcdo55tid.onion
http://k7kg3jqzffsxe2z53jjx4goybvxu3a557kpsqakpwi6mrvfgcdo55tid.onion/
http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion
http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion/

Source

Updated 4 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Play posts a victim.

Add Play to your watchlist — Pro pings you within 5 minutes of any new Play leak-site post, Telegram callout, or affiliate-rebrand inference.