Playcrypt

Playcrypt is a ransomware that has been used by Play since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Playcrypt derives its name from adding the .play extension to encrypted files and has overlap with tactics and tools associated with Hive and Nokoyawa ransomware and infrastructure associated with Quantum ransomware.[1][2][3]

ID: S1162
Associated Software: Play
Type: MALWARE
Platforms: Windows
Contributors: Marco Pedrinazzi, @pedrinazziM
Version: 1.0
Created: 25 September 2024
Last Modified: 02 October 2024

Associated Software Descriptions

Name Description
Play

[2][3]

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

Playcrypt encrypts files on targeted hosts with an AES-RSA hybrid encryption, encrypting every other file portion of 0x100000 bytes.[2][3]

Enterprise T1083 File and Directory Discovery

Playcrypt can avoid encrypting files with a .PLAY, .exe, .msi, .dll, .lnk, or .sys file extension.[3]

Enterprise T1490 Inhibit System Recovery

Playcrypt can use AlphaVSS to delete shadow copies.[3]

Groups That Use This Software

ID Name References
G1040 Play

[2][3]

References