Play

· ATT&CK GroupG1040

Techniques

Software

Tactics

Aliases

Description

Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)

Tactic Coverage

discovery (6)stealth (5)initial access (5)persistence (4)privilege escalation (3)exfiltration (2)execution (2)resource development (2)defense impairment (2)credential access (1)lateral movement (1)command and control (1)collection (1)impact (1)

Techniques Used (26)

T1003.001LSASS Memory

credential access

T1016System Network Configuration Discovery

discovery

T1018Remote System Discovery

discovery

T1021.002SMB/Windows Admin Shares

lateral movement

T1027.010Command Obfuscation

stealth

Registration Required

Create a free account to access full Threat Actor Techniques

Showing 5 of 26 results

✓ Personal dashboard✓ Track 1 vendor/product✓ 1 keyword alert✓ Weekly digest✓ 1 CSV export/month

Already have an account? Sign in →

Software Used (9)

S0552AdFindtool S0521BloodHoundtool S0154Cobalt Strikemalware S0363Empiretool S0002Mimikatztool S0359Nltesttool S1162Playcryptmalware S0029PsExec

References (3)

https://attack.mitre.org/groups/G1040 https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play