S1162 Playcrypt
Playcrypt is a ransomware that has been used by Play since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Playcrypt derives its name from adding the .play extension to encrypted files and has overlap with tactics and tools associated with Hive and Nokoyawa ransomware and infrastructure associated with Quantum ransomware.213
| Item | Value |
|---|---|
| ID | S1162 |
| Associated Names | Play |
| Type | MALWARE |
| Version | 1.0 |
| Created | 25 September 2024 |
| Last Modified | 02 October 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Play | 13 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1486 | Data Encrypted for Impact | Playcrypt encrypts files on targeted hosts with an AES-RSA hybrid encryption, encrypting every other file portion of 0x100000 bytes.13 |
| enterprise | T1083 | File and Directory Discovery | Playcrypt can avoid encrypting files with a .PLAY, .exe, .msi, .dll, .lnk, or .sys file extension.3 |
| enterprise | T1490 | Inhibit System Recovery | Playcrypt can use AlphaVSS to delete shadow copies.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1040 | Play | 13 |
References
-
CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024. ↩↩↩↩
-
Microsoft Security Intelligence. (2022, August 27). Ransom:Win32/PlayCrypt.PA. Retrieved September 24, 2024. ↩
-
Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024. ↩↩↩↩↩↩