Playcrypt is a ransomware that has been used by Play since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Playcrypt derives its name from adding the .play extension to encrypted files and has overlap with tactics and tools associated with Hive and Nokoyawa ransomware and infrastructure associated with Quantum ransomware.[1][2][3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1486 | Data Encrypted for Impact |
Playcrypt encrypts files on targeted hosts with an AES-RSA hybrid encryption, encrypting every other file portion of 0x100000 bytes.[2][3] |
|
Enterprise | T1083 | File and Directory Discovery |
Playcrypt can avoid encrypting files with a .PLAY, .exe, .msi, .dll, .lnk, or .sys file extension.[3] |
|
Enterprise | T1490 | Inhibit System Recovery |