Ransomware.live: play

| Active

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to other ransomwares, involving attacks such as Phishing, Exposed Services to the Internet, and Valid Account compromises.

On April 19, 2023, the security company Symantec published two new tools developed by the Play group. These tools allow the malicious actor to enumerate and exfiltrate data from the internal network. The post mentions the following: 'Play threat actors use the .NET infostealer to enumerate software and services via WMI, WinRM, Remote Registry, and Remote Service. The malware checks for the existence of security and backup software, as well as remote administration tools and other programs, saving the information in .CSV files that are compressed into a .ZIP file for later manual exfiltration by threat actors.'Source: https://github.com/crocodyli/ThreatActors-TTPs

Victims

1249

First Discovered

2022-11-26

victim

Last Discovered

2026-05-12

victim

Inactive Since

days

Avg Delay

30.1

days

Infostealer

17.0%

victims with domain

Countries

hit

View Victims on World Map View Group Statistics

Attack Velocity — Last 12 months

+233% vs last month

Known Locations (3)

Title	Available	Last Visit	Server Info	FQDN
PLAY NEWS	No	2026-05-15T17:45:19		`mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion`
PLAY NEWS	No	2026-05-15T17:46:13		`k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion`
PLAY NEWS	No	2026-05-15T17:45:14	nginx	`j75o7xvvsm4lpsjhkjvb4wl2q6ajegvabe6oswthuaubbykk4xkzgpid.onion`

Target

Heatmap

Ransom Notes (3)

Tools Used

This information is provided by Ransomware-Tool-Matrix
Discovery	RMM Tools	Defense Evasion	Credential Theft	OffSec	Networking	LOLBAS	Exfiltration
AdFind WKTools placeholder placeholder placeholder	placeholder placeholder placeholder placeholder placeholder	EDRKill (echo_driver.sys + DBUtil 2.3) GMER IOBit PowerTool icardagt.exe (version.dll DLL sideload)	HandleKatz Mimikatz Nanodump placeholder placeholder	Cobalt Strike WinPEAS placeholder placeholder placeholder	FRP Plink placeholder placeholder placeholder	PsExec placeholder placeholder placeholder placeholder	WinSCP placeholder placeholder placeholder placeholder

TTPs Matrix (10)

This information is provided by Crocodyli & Ransomware.live
Initial Access	Execution	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Impact
Valid Accounts	Scheduled Task/Job: Scheduled Task	Obfuscated Files or Information	OS Credential Dumping: LSASS Memory	Network Service Discovery	Remote Services: Remote Desktop Protocol	Archive Collected Data: Archive via Utility	Exfiltration Over Alternative Protocol	Remote Access Software	Data Encrypted for Impact
Exploit Public-Facing Application	Command and Scripting Interpreter: PowerShell	Indicator Removal: Clear Windows Event Logs	OS Credential Dumping: NTDS	Account Discovery: Domain Account	Remote Services: SMB/Windows Admin Shares				Service Stop
		Disable or Modify Tools							Inhibit System Recovery

YARA Rules (1)

Indicators of Compromise (IoCs) (3)

Email 3

Type	IOC
`Email`	`derdiarikucisv@gmx.de`
`Email`	`raniyumiamrm@gmx.de`
`Email`	`teilightomemaucd@gmx.com`