December 10, 2023

Six organizations have been victimized in the latest cyber attack executed by play ransomware. The affected entities span across different regions, including the US, UK, and Norway.

The targeted organizations include Roof Management, Security Instrument Corp, Filtration Control Ltd, Cinépolis Cinemas, CHARMANT Group, and Stavanger Municipality.

The PLAY Ransomware group employs a variety of techniques to infiltrate an organization’s network, including the exploitation of known vulnerabilities like CVE-2018-13379 and CVE-2020-12812.


They leverage exposed RDP servers and valid accounts to gain initial access. Once inside, they utilize “lolbins,” a common tool among ransomware groups. To distribute executables within the internal network, they employ Group Policy Objects, scheduled tasks, PsExec, or Wmic.

Once they establish full access, they encrypt files, appending them with the “.play” extension. Additionally, the group practices double extortion, threatening to expose sensitive data.

The PLAY ransomware group has recently expanded its arsenal, incorporating new tools and exploits such as ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution.

Among these, Grixba, a custom network scanner and infostealer, along with the open-source VSS management tool AlphaVSS, are noteworthy additions.


There is a potential link between PLAY ransomware and other ransomware families, specifically Hive and Nokoyawa. Shared tactics and tools indicate a high likelihood of affiliation among these groups.

Furthermore, parallels have been drawn between PLAY and Quantum ransomware, an offshoot of the Conti ransomware group. Both groups share some infrastructure, with Cobalt Strike beacons bearing the watermark “206546002” being a key indicator.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.