Skip links

Play Ransomware in 2023: Strategic marketing for an emerging digital threat

Play Ransomware in 2023: Strategic marketing for an emerging digital threat

December 22, 2023.

In an ever-evolving digital landscape, cybersecurity emerges as an unavoidable priority. 

Within this realm of perpetual challenges, the ransomware entity known as Play has undergone a substantial evolution, embracing double extortion tactics and commercializing its operations.

Also recognized as Balloonfly and PlayCrypt, this ransomware made its initial debut in June 2022, exploiting targeted vulnerabilities within Microsoft Exchange Server, such as (CVE-2022-41040 and CVE-2022-41082). These vulnerabilities enable server-side request forgery (SSRF) and remote code execution when the attacker gains access to Microsoft Exchange through PowerShell.


This group attains initial access to victims’ networks by exploiting valid accounts (T1078) and abusing public applications (T1190), specifically targeting vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]). Play ransomware actors have been observed employing external services (T1133), such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN), for their initial access strategies.

Play has embraced the alarming trend of Ransomware as a Service (RaaS), facilitating other cybercriminals in launching their own campaigns using Play Ransomware’s infrastructure and tactics. This approach allows individuals to execute attacks with ease, following detailed instructions provided as part of the service.

One of the most noteworthy findings emphasized in the report issued by Adlumin is the notable lack of diversity among Play ransomware attacks. This uniformity spans various aspects, ranging from the consistent selection of public music folders to conceal malicious files to the utilization of identical passwords for creating accounts with elevated privileges.


Play ransomware actors employ a double extortion model, encrypting systems only after extracting sensitive data. Notably, the ransom notes do not contain an initial ransom demand or payment instructions. Instead, victims are directed to initiate contact with the threat actors through email for further communication and negotiation. The adoption of this tactic amplifies the pressure on victims and broadens the potential for success for malicious operators.

According to statistics compiled by Malwarebytes, Play Ransomware left its mark on nearly 40 victims in November 2023 alone, ranking just behind LockBit and BlackCat (also known as ALPHV and Noberus).

In light of this sophisticated evolution, organizations must implement robust preventive measures. 

Some of the mitigation measures recommended by the FBI, CISA, and ASD’s ACSC include:

  1. Implement a Comprehensive Recovery Plan: Maintain and retain multiple copies of confidential or proprietary servers and data [CPG 2.F, 2.R, 2.S] in a physically separate, segmented, and secure location (e.g., hard drive, storage device, cloud).
  2. Enforce Strong Password Policies: Require all accounts with password logins to adhere to NIST standards for developing and managing password policies.
  3. Deploy Multi-Factor authentication: Mandate multi-factor authentication for all services to the greatest extent possible.
  4. Keep Systems Updated: Keep all operating systems, software, and firmware up to date to patch known vulnerabilities promptly.
  5. Utilize Real-Time Antivirus Protection: Install, regularly update, and enable real-time detection for anti-virus software on all hosts.
  6. Maintain Offline Data Backups: Safeguard data by maintaining offline backups and conduct periodic backup and restore exercises to ensure data integrity and availability.

For more information about the tactics, techniques and procedures (TTP) of the Play ransomware group:


Author: Reynaldo C. de la Fuente. Partner Director