play

Play ransomware operates as an established double extortion RaaS platform that has maintained consistent operational tempo since emerging in June 2022, with 42 attacks this period targeting manufacturing and construction sectors through T1190 exploitation of public-facing applications. The group demonstrates sophisticated technical capabilities including T1003 credential dumping, T1555 password store harvesting, and multi-vector lateral movement via both T1021.001 RDP and T1021.002 SMB shares. Their geographic focus spans the US, Canada, Netherlands, India, and Great Britain, suggesting a well-distributed affiliate network with regional expertise. Play's targeting of industrial sectors reflects their understanding that manufacturing and construction companies often have legacy systems with limited backup capabilities, making them more likely to pay ransoms to restore operations quickly.