G1040: Play
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.[1][2]
Analyst context for executives and security teams
Play is documented by ATT&CK as a ransomware group active since at least 2022 that uses Playcrypt and a double-extortion model: data theft followed by encryption. The business significance is not just malware execution; the related ATT&CK context points to credential abuse, Active Directory discovery, lateral movement over SMB/admin mechanisms, exfiltration, and cleanup behaviors that can turn one compromised account or host into an enterprise-wide outage and data disclosure event.
Executive priority
Treat this as a resilience and identity-risk scenario, not only an endpoint malware scenario. Leaders should ask whether the organization can prove coverage for credential dumping, privileged/domain account misuse, AD reconnaissance, lateral movement, unusual egress, and ransomware recovery. Because ATT&CK cites impacts across business, government, critical infrastructure, healthcare, and media sectors in the Americas and Europe, the relevant executive decision is whether incident response, legal/compliance, backup restoration, and data-exposure processes are exercised before encryption and extortion force time-critical decisions.
Technical view
ATT&CK does not provide a dedicated detection section, platforms, or tactics for the Play group object. However, the relationship set is operationally useful: Play is associated with Playcrypt, Mimikatz, PsExec, Cobalt Strike, Empire, BloodHound, AdFind, Nltest, Wevtutil, LSASS memory access, valid accounts, domain/local account abuse, PowerShell, Windows command shell, SMB/admin shares, discovery, exfiltration over alternate protocols, data transfer size limits, and file deletion. SOC and IR teams should validate whether they can correlate these behaviors across identity, endpoint, directory, network, and backup/restore evidence rather than relying on a single ransomware signature.
Likely telemetry
- Endpoint process creation and command-line telemetry for PowerShell, cmd, PsExec-like execution, Nltest, AdFind, BloodHound, Wevtutil, and other administrative utilities
- Windows security and endpoint events indicating LSASS access, credential dumping attempts, suspicious handle access, or memory access patterns
- Active Directory and identity provider logs for domain account use, local/domain admin activity, unusual authentication, privilege use, and lateral logons
- SMB and Windows admin share access logs, remote service execution evidence, and host-to-host connection records
- Network flow, proxy, DNS, firewall, and egress logs capable of showing alternate-protocol exfiltration and unusual transfer sizing
Detection direction
- Build detections around behavior chains: credential access or valid-account abuse followed by AD discovery, remote system discovery, SMB/admin share movement, exfiltration, and encryption-like file activity.
- Tune dual-use tool alerts carefully. PsExec, Nltest, AdFind, BloodHound, Wevtutil, PowerShell, and cmd can be legitimate; prioritize rare users, rare hosts, unusual parent processes, off-hours use, and execution from non-administrative workstations or servers.
- Validate LSASS monitoring and credential-theft controls with safe internal tests, because credential capture can precede lateral movement and make later activity appear as legitimate account use.
- Correlate identity and endpoint telemetry. Valid account use may bypass malware-centric controls, so detections should include impossible or unusual logon paths, abnormal admin share use, and new host-to-host access patterns.
- Check egress monitoring for low-and-slow or chunked transfers, because the related exfiltration technique includes data transfer size limits that may avoid simple volume-threshold alerts.
Mitigation priorities
- Prioritize identity hardening: reduce standing privilege, review domain and local administrator exposure, protect service accounts, and require strong controls for remote access and privileged activity.
- Harden Windows/AD administration paths associated with the relationship context: restrict SMB/admin share exposure, control remote execution tooling, and maintain an approved-admin-tool baseline.
- Reduce credential theft impact through credential protection, administrative tiering, limiting interactive logons for privileged accounts, and rapid credential reset procedures during incidents.
- Improve egress governance by monitoring and restricting unexpected outbound protocols and destinations, especially from servers and sensitive data stores.
- Prepare ransomware recovery evidence: offline or immutable backups, restoration testing, segmentation validation, and documented decisions for containment, data exposure, legal notification, and executive escalation.
Analyst notes and limits
This take is based on the ATT&CK group description, external references listed for the object, and supplied relationships. The most decision-relevant relationships are the combination of credential access, valid account abuse, AD discovery tools, remote execution/lateral movement, exfiltration behaviors, file deletion, and Playcrypt ransomware use. Defensive validation should focus on whether these behaviors can be observed and correlated in the local environment.
The supplied Play group object has no official detection text, no group-level platforms, and no group-level tactics. Relationship data provides useful context but does not prove every behavior occurs in every incident. Local telemetry, asset criticality, identity architecture, backup design, and incident evidence are required to determine actual exposure or coverage.
Play
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1030 | Data Transfer Size Limits | Play has split victims' files into chunks for exfiltration.CitationCISA Play Ransomware Advisory December 2023CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1016 | System Network Configuration Discovery | Play has used the information-stealing tool Grixba to enumerate network information.CitationCISA Play Ransomware Advisory December 2023 |
| Enterprise | T1048 | Exfiltration Over Alternative Protocol | Play has used WinSCP to exfiltrate data to actor-controlled accounts.CitationCISA Play Ransomware Advisory December 2023CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Play has used a batch script to remove indicators of its presence on compromised hosts.CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Play has used Base64-encoded PowerShell scripts to disable Microsoft Defender.CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Play has used WinRAR to compress files prior to exfiltration.CitationCISA Play Ransomware Advisory December 2023CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1018 | Remote System Discovery | Play has used tools such as AdFind, Nltest, and BloodHound to enumerate shares and hostnames on compromised networks.CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1057 | Process Discovery | Play has used the information stealer Grixba to check for a list of security processes.CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Play has used Base64-encoded PowerShell scripts for post exploit activities on compromised hosts.CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1587.001 | Malware Sub-technique | |
| Enterprise | T1078.003 | Local Accounts Sub-technique | Play has used valid local accounts to gain initial access.CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Play has used Cobalt Strike to move laterally via SMB.CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Play has used tools to remove log files on targeted systems.CitationCISA Play Ransomware Advisory December 2023CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1078 | Valid Accounts | Play has used valid VPN accounts to achieve initial access.CitationCISA Play Ransomware Advisory December 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | Play has used Cobalt Strike to download files to compromised machines.CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | Play has used valid domain accounts for access.CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1082 | System Information Discovery | Play has leveraged tools to enumerate system information.CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1083 | File and Directory Discovery | Play has used the Grixba information stealer to list security files and processes.CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Play has used the information-stealing tool Grixba to scan for anti-virus software.CitationCISA Play Ransomware Advisory December 2023 |
| Enterprise | T1133 | External Remote Services | Play has used Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for initial access.CitationCISA Play Ransomware Advisory December 2023CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1588.002 | Tool Sub-technique | Play has used multiple tools for discovery and defense evasion purposes on compromised hosts.CitationCISA Play Ransomware Advisory December 2023 |
| Enterprise | T1190 | Exploit Public-Facing Application | Play has exploited known vulnerabilities for initial access including CVE-2018-13379 and CVE-2020-12812 in FortiOS and CVE-2022-41082 and CVE-2022-41040 ("ProxyNotShell") in Microsoft Exchange.CitationCISA Play Ransomware Advisory December 2023CitationTrend Micro Ransomware Spotlight Play July 2023 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1657 | Financial Theft | Play demands ransom payments from victims to unencrypt filesystems and to not publish sensitive data exfiltrated from victim networks.CitationCISA Play Ransomware Advisory December 2023 |
| Enterprise | T1685 | Disable or Modify Tools | Play has used tools including GMER, IOBit, and PowerTool to disable antivirus software.CitationCISA Play Ransomware Advisory December 2023CitationTrend Micro Ransomware Spotlight Play July 2023 |
Groups, software, and campaigns
S0359: Nltest
S0552: AdFind
S0029: PsExec
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
S0645: Wevtutil
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S1162: Playcrypt
Playcrypt is a ransomware that has been used by Play since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Playcrypt derives its name from adding the .play extension to encrypted files and has overlap with tactics and tools associated with Hive and Nokoyawa ransomware and infrastructure associated with Quantum ransomware.[1][2][3]
S0521: BloodHound
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[1][2][3]
S0002: Mimikatz
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0bd42175ffe5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA Play Ransomware Advisory December 2023
CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
Open source URL -
[2]
Trend Micro Ransomware Spotlight Play July 2023
Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
Open source URL -
[3]
mitre-attack G1040Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.