Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1162: Playcrypt

Playcrypt is a ransomware that has been used by Play since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Playcrypt derives its name from adding the .play extension to encrypted files and has overlap with tactics and tools associated with Hive and Nokoyawa ransomware and infrastructure associated with Quantum ransomware.[1][2][3]

EnterpriseS1162MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Playcrypt is a Windows ransomware entry associated in ATT&CK with Play and linked to file discovery, encryption for impact, and inhibiting recovery. For leaders, the practical issue is not only malware execution; it is whether the organization can detect pre-encryption discovery, protect recoverability, and make fast incident decisions when business systems, regulated data, or critical services are at risk.

Executive priority

Prioritize Playcrypt as an operational resilience and ransomware-readiness scenario. ATT&CK notes use against business, government, critical infrastructure, healthcare, and media sectors across multiple regions, so executives should ask whether backup recovery, incident communications, legal/regulatory evidence, and SOC escalation criteria are tested for a double-extortion-style event involving data theft followed by encryption.

Technical view

Validate coverage around the ATT&CK relationships: File and Directory Discovery (T1083), Data Encrypted for Impact (T1486), and Inhibit System Recovery (T1490) on Windows environments where Playcrypt is listed. Because MITRE provides no detection text for this malware object, SOC and IR teams should build validation from host, file-system, backup/recovery, and ransomware impact telemetry rather than assuming a named signature is sufficient.

Likely telemetry

  • Windows endpoint security alerts and process execution records
  • File-system activity showing broad enumeration or high-volume file modification/encryption patterns
  • Evidence of files renamed with the .play extension where locally observed
  • Backup, volume shadow copy, recovery service, and restore-point activity logs
  • Network share access and file access audit events for large-scale discovery or modification

Detection direction

  • Confirm whether endpoint and file activity logging can show discovery behavior before encryption, not only the final ransomware impact.
  • Tune for ransomware-impact patterns such as rapid file changes, mass renaming, and recovery inhibition while accounting for noisy administrative backup, migration, or file-management activity.
  • Validate alert paths for attempts to disable or remove recovery mechanisms, because ATT&CK links this software to Inhibit System Recovery.
  • Use the Play group relationship as threat-intelligence context for prioritization, but do not treat group association alone as proof of local activity.
  • Document detection gaps explicitly because the ATT&CK object does not include official detection guidance.

Mitigation priorities

  • Prioritize tested, isolated, and recoverable backups, including evidence that restoration works under ransomware conditions.
  • Harden and monitor recovery mechanisms so unauthorized changes to backup or restore capabilities are investigated quickly.
  • Reduce blast radius through least privilege, segmentation, and controlled access to shared file stores where feasible.
  • Maintain ransomware IR playbooks covering encryption, possible data theft, executive decision points, and regulatory/compliance evidence collection.
  • Use vulnerability and exposure management to reduce initial access opportunities, while recognizing that this ATT&CK object does not specify the initial access method.
Analyst notes and limits

The most decision-useful relationships are to impact and discovery techniques, plus the Play group context. The .play file extension is a useful investigation clue when present, but absence of that artifact should not be treated as absence of risk. For managed detection or consulting work, this object is best used as a ransomware readiness test case across endpoint telemetry, backup resilience, IR governance, and audit evidence.

MITRE provides no official detection text, no aliases, and no tactics directly on the malware object. The supplied platform for Playcrypt is Windows, while related techniques include broader platform lists that should not be interpreted as Playcrypt platform support without local evidence. Claims about active exploitation, customer exposure, or guaranteed detection require environment-specific telemetry and intelligence beyond the supplied ATT&CK fields.

Official MITRE ATT&CK definition

Playcrypt

Playcrypt is a ransomware that has been used by Play since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Playcrypt derives its name from adding the .play extension to encrypted files and has overlap with tactics and tools associated with Hive and Nokoyawa ransomware and infrastructure associated with Quantum ransomware.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

3 rows
Domain ID Name Relationship / procedure
Enterprise T1486 Data Encrypted for Impact

Playcrypt encrypts files on targeted hosts with an AES-RSA hybrid encryption, encrypting every other file portion of 0x100000 bytes.CitationCISA Play Ransomware Advisory December 2023CitationTrend Micro Ransomware Spotlight Play July 2023
Enterprise T1490 Inhibit System Recovery

Playcrypt can use AlphaVSS to delete shadow copies.CitationTrend Micro Ransomware Spotlight Play July 2023
Enterprise T1083 File and Directory Discovery

Playcrypt can avoid encrypting files with a .PLAY, .exe, .msi, .dll, .lnk, or .sys file extension.CitationTrend Micro Ransomware Spotlight Play July 2023
Associated objects

Groups, software, and campaigns

Group Enterprise

G1040: Play

Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.[1][2]

Relationship explorer

All related ATT&CK context

uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Technique T1490: Inhibit System Recovery Enterprise uses · Group G1040: Play Enterprise uses · Technique T1083: File and Directory Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b1d505f987606d70...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b1d505f98760…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Microsoft PlayCrypt August 2022

    Microsoft Security Intelligence. (2022, August 27). Ransom:Win32/PlayCrypt.PA. Retrieved September 24, 2024.

    Open source URL
  2. [2]
    CISA Play Ransomware Advisory December 2023

    CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.

    Open source URL
  3. [3]
    Trend Micro Ransomware Spotlight Play July 2023

    Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.

    Open source URL
  4. [4]
    Play

    (Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)

  5. [5]
    mitre-attack S1162
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use