Play Ransomware (also known as PlayCrypt, tracked by Symantec as Balloonfly) is a Ransomware-as-a-Service operation active since June 2022. The group is known for its intermittent encryption technique that accelerates encryption speed while evading detection, and has compromised 300+ organizations including the City of Oakland. Play affiliates frequently exploit Fortinet and Citrix vulnerabilities for initial access.
Overview & Attribution
Play Ransomware appeared in June 2022 and quickly gained prominence for its use of intermittent encryption, a technique that encrypts only portions of files to speed up the encryption process while making file recovery equally impossible. The group maintains a data leak site and follows a double extortion model. Play has been linked to former Hive and Nokoyawa ransomware operators based on TTP overlaps and shared infrastructure. The FBI and CISA issued a joint advisory on Play in December 2023.
Play Ransomware has been active since June 2022, attributed to suspected Eastern European cybercriminals with links to former Hive operators. With 300+ victims across government, healthcare, and technology sectors, Play's intermittent encryption technique represents an evolution in ransomware evasion capabilities.
- Attribution: Cybercriminal (suspected Eastern European)
- Active since: 2022
- Primary targets: government, healthcare, manufacturing, technology, telecommunications
- Also known as: PlayCrypt, Balloonfly, Play
Arsenal & Tools
Play Ransomware employs a diverse arsenal of custom and shared tooling:
- Play encryptor: Custom ransomware binary employing intermittent encryption for speed and detection evasion, appending .play extension
- Grixba: Custom network scanning and information stealing tool used during reconnaissance phase
- SystemBC: Proxy bot and backdoor used for maintaining persistent access and tunneling C2 traffic
- Cobalt Strike: Post-exploitation framework for lateral movement and command-and-control operations
- AdFind / Bloodhound: Active Directory enumeration tools for mapping domain structure and identifying high-value targets
Targeting & Operations
Play affiliates target government, healthcare, manufacturing, technology, and telecommunications organizations, with a notable focus on North American and European entities. The group frequently exploits known vulnerabilities in internet-facing infrastructure including Fortinet FortiOS (CVE-2018-13379, CVE-2020-12812) and Citrix (CVE-2023-24955).
Play operations typically begin with exploitation of vulnerable Fortinet or Citrix appliances, followed by credential harvesting and Active Directory enumeration using custom (Grixba) and commodity tools. The group uses LOLBins extensively during lateral movement before deploying the encryptor via Group Policy. Ransom notes contain only an email address with no initial ransom demand.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1190 Exploit Public-Facing Application | Exploitation of Fortinet FortiOS and Citrix vulnerabilities |
| Impact | T1486 Data Encrypted for Impact | Intermittent encryption technique for speed and evasion |
| Execution | T1059 Command and Scripting Interpreter | PowerShell and batch scripts for deployment |
| Exfiltration | T1048 Exfiltration Over Alternative Protocol | WinSCP and custom tools for data theft |
| Discovery | T1087 Account Discovery | Grixba, AdFind, and Bloodhound for AD enumeration |
| Defense Evasion | T1562 Impair Defenses | Disabling Windows Defender and security tools |
Notable Campaigns
Play Ransomware has been linked to multiple significant campaigns:
- City of Oakland (Feb 2023): Ransomware attack forced Oakland to declare a state of emergency, disrupting city services for weeks and exposing sensitive employee data.
- Arnold Clark (Dec 2022): One of Play's early high-profile attacks targeted the UK's largest car dealership, disrupting operations across 200+ branches.
- Rackspace (Dec 2022): While attributed with medium confidence, the Rackspace Hosted Exchange incident shared significant TTPs with Play operations, affecting thousands of customers.
Detection & Defense
- Vulnerability management: Prioritize patching Fortinet FortiOS and Citrix appliances, particularly CVE-2018-13379 and CVE-2023-24955
- Endpoint detection: Deploy detection for intermittent encryption patterns, Grixba scanning activity, and GPO-based ransomware deployment
- Network monitoring: Monitor for SystemBC proxy traffic, Cobalt Strike beacons, and anomalous AD enumeration activity
- Access controls: Enforce least privilege and MFA across all remote access services and administrative interfaces
- Backup resilience: Maintain offline backups tested regularly for integrity, separate from domain-joined infrastructure
Defend Against Play Ransomware
Mjolnir Security provides specialized capabilities to detect and respond to Play Ransomware operations.
- Threat Hunting Proactive hunting for Play Ransomware TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of Play Ransomware campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts