ICIC
RU

Play

Medium ConfidenceHigh Threat

PlayCrypt • Balloonfly

Play ransomware, also known as PlayCrypt, is a ransomware operation that emerged in mid-2022. The group targets organizations across various sectors including government, healthcare, and manufacturing. Play ransomware is known for exploiting vulnerabilities in Microsoft Exchange servers and FortiOS for initial access. The group employs intermittent encryption techniques to speed up the encryption process and evade detection.

Origin: Russia
Sponsor: Cybercriminal (No State Sponsor)
Active: 2022 - Present
Victims: 300+ organizations
Advanced
Active
Financial Gain
Risk Assessment
73
Composite Risk Score
High Risk
ARCS Compliance75
Escalation Risk72
Grievance Index65
Infrastructure Impact78
History & Evolution

Play ransomware, also known as PlayCrypt, is a ransomware operation that emerged in mid-2022. The group targets organizations across various sectors including government, healthcare, and manufacturing. Play ransomware is known for exploiting vulnerabilities in Microsoft Exchange servers and FortiOS for initial access. The group employs intermittent encryption techniques to speed up the encryption process and evade detection.

Targeting

Target Sectors

GovernmentManufacturingTechnologyHealthcare

Target Regions

Latin AmericaUnited StatesEurope
Attribution & Affiliations

Attributed to Cybercriminal (No State Sponsor) (Russia). Attribution confidence: Medium.

Intelligence Assessment
High
Threat Level
Moderately
Targeting
Moderately
Adaptability
High
Persistence
Continuous
Op Tempo
Active
Status

Future Outlook

Play is expected to continue operations targeting Government sectors.

Timeline of Key Events
2022
Major

First observed activity of Play

2024
Moderate

Continued active operations