Play is shaping up to be a player on the rise within the ransomware landscape.

In July 2022, Trend Micro researchers looked into ransomware cases in Latin America that targeted government entities and were initially attributed to a newcomer cwith ransom note contains the single word “PLAY”, along with the ransomware group’s email address.

Play ransomware group was observed augmenting their toolbox with a number of new tools and exploits, including the vulnerabilities ProxyNotShell, OWASSRF, and a Microsoft Exchange Server Remote Code Execution. More recently, it’s also begun to use new tools like Grixba, a custom network scanner and infostealer, and the open-source VSS management tool AlphaVSS.

Evidence have been found suggesing a link between Play and various ransomware families. Some tactics and tools are shared with the Hive, Nokoyawa and Quantum groups, an offshoot of the infamous Conti ransomware group. The groups partly share the same infrastructure: Play’s attacks use Cobalt Strike beacons that have the same watermark, 206546002, as with those that had been dropped by Emotet and SVCReady botnets in Quantum ransomware attacks