The Play Ransomware Group, also known as PlayCrypt, emerged in mid-2022 as a significant cyber threat. Initially targeting government entities in Latin America, the group quickly expanded its operations to include major cities and critical infrastructure across North America, South America, and Europe.

By mid-2023, Play had executed over 300 attacks, disrupting essential services and causing extensive data breaches in cities such as Oakland and Dallas County, and even impacting Swiss government IT providers.

Play employs a double-extortion tactic, which involves both encrypting the victim’s data and threatening to release it publicly on their TOR-based leak site if the ransom is not paid. They are known for their stealth, often gaining access through stolen credentials or exploiting vulnerabilities in widely used software like FortiOS and Microsoft applications.

The group’s operational signature includes adding a “.play” extension to encrypted files and using sophisticated methods to evade antivirus detection and disable recovery processes. This group’s rise to notoriety was marked by their ability to infiltrate a variety of sectors swiftly and efficiently, causing significant operational disruptions and leveraging the stolen data to exert pressure on their victims. As of late 2023, Play continues to pose a substantial threat, underscoring the ongoing challenges in cybersecurity defense and response efforts globally.