Play ransomware is now available as Ransomware-as-a-Service

Play ransomware is now available as Ransomware-as-a-Service

Cybersecurity researchers found evidence that operators behind the Play ransomware are now offering the malware under the Ransomware-as-a-Service business model.

First spotted in 2022, Play (aka PlayCrypt and Ballonfly) group has been responsible for attacks on companies and government organizations worldwide, although the main target of the ransomware group is Latin America. The gang’s attack arsenal includes a number of tools and exploits such as the ProxyNotShell vulnerabilities, OWASSRF, and a Microsoft Exchange Server Remote Code Execution.

More recently, the group has been observed using new custom tools like Grixba, a network scanner and info-stealer, and the open-source VSS management tool AlphaVSS. Play was also one of the first ransomware groups to employ intermittent encryption, a technique that allows for faster encryption of victims’ systems.

Play shares some tactics and tools with Hive and Nokoyawa ransomware, suggesting of affiliation between these ransomware families.

“Making it available to affiliates that might include sophisticated hackers, less-sophisticated “script kiddies” and various levels of expertise in between, could dramatically increase the volume of attacks using the highly successful, Russia-linked Play ransomware,” Adlumin researchers wrote in a report.

The research team said they have identified several PlayCrypt attacks targeting small and mid-sized businesses over the recent months that shared nearly identical tactics, techniques and procedures (TTPs).

“The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it,” the researchers noted.

All observed incidents involved the same tactics, techniques, and procedures (TTP) and followed the same order of steps, including the use of the public music folder (C:\...\public\music) to hide the malicious file, the same password to create high-privilege accounts, and the same commands.


Back to the list

Latest Posts

Apple fixes actively exploited iOS zero-day

Apple fixes actively exploited iOS zero-day

CVE-2025-24200 could allow a malicious actor to disable USB Restricted Mode on a locked device.
11 February 2025
US, UK, Australia sanction Russia-based Zservers over Lockbit ransomware attacks

US, UK, Australia sanction Russia-based Zservers over Lockbit ransomware attacks

Zservers is responsible for providing cybercriminals with servers and other critical infrastructure designed to evade law enforcement detection.
11 February 2025
SIM swapper pleads guilty in SEC social media hack that caused bitcoin price surge

SIM swapper pleads guilty in SEC social media hack that caused bitcoin price surge

Council and his co-conspirators gained access to the SEC’s account through a SIM swap.
11 February 2025