{
	"id": "79c1dbb2-50a5-4fc7-b5ad-7e259a0d0919",
	"created_at": "2026-04-06T00:11:52.120781Z",
	"updated_at": "2026-04-10T03:30:33.169824Z",
	"deleted_at": null,
	"sha1_hash": "5f54c19b03f72312d5b32ad922a2aa888f7d8843",
	"title": "Ransomware Spotlight: Play",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 801526,
	"plain_text": "Ransomware Spotlight: Play\r\nArchived: 2026-04-05 16:41:16 UTC\r\nTop affected industries and countries\r\nIn this section, we examine Play ransomware’s attempts to compromise organizations from June 2022 to May 2023 based on\r\nTrend's Smart Protection Network™ country and regional data. It’s important to note that this data covers only Trend\r\ncustomers and does not contain all victims of Play ransomware. In that time period, Play ransomware activity climbed\r\nsteadily, peaking in December 2022 with 170 attack attempts.\r\nopen on a new tab\r\nFigure 1. A monthly breakdown of detected Play ransomware attempted attacks in terms of infected machines (June 2022 -\r\nMay 2023)\r\nSource: Trend’s Smart Protection Network™\r\nData from customers who specified their industries showed that Play ransomware appeared most active in the\r\ntelecommunications sector. The healthcare, and communication and media sectors were also highly targeted.\r\nopen on a new tab\r\nFigure 2. Industries with the highest number of attack attempts in terms of infected machines for Play ransomware (June\r\n2022 - May 2023)\r\nSource: Trend’s Smart Protection Network™\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nPage 1 of 13\n\nOur telemetry also shows that the heaviest concentration of Play ransomware attack attempts was made against\r\norganizations located in Germany, which composed 15.4% of the total detections. This is followed closely by the United\r\nStates and Portugal, at 15.3% and 15%, respectively.\r\nopen on a new tab\r\nFigure 3. Countries with the highest number of attack attempts in terms of infected machines for Play ransomware (June\r\n2022 - May 2023)\r\nSource: Trend’s Smart Protection Network™\r\nTargeted regions and industries\r\naccording to Play leak site\r\nThis section looks at data based on attacks recorded on the leak site of the operators behind Play ransomware from June\r\n2022 to May 2023. Based on both Trend's open-source intelligence (OSINT) research and investigations into the leak site,\r\nPlay ransomware actors had managed to compromise a total of 110 victims who refused to pay the ransom demand as of this\r\nwriting.\r\nOrganizations based in Europe were the hardest hit among the victims identified in Play’s leak site at 49 attacks; those in\r\nNorth America came in second at 39. More specifically, the United States was at the receiving end of most of the attacks,\r\nwith 33 affected organizations. Many confirmed ransomware attacks also took place in Germany and France, with 9 and 8\r\nvictims respectively.\r\nopen on a new tab\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nPage 2 of 13\n\nFigure 4. The distribution by region of Play ransomware’s victim organizations (June 2022 - May 2023)\r\nSources: Play ransomware’s leak site and Trend’s OSINT research\r\nThe leak site data indicates that the IT industry was most targeted by Play’s attacks, followed by transportation. Other\r\naffected organizations include those in the construction and materials industry, as well as government entities.\r\nopen on a new tab\r\nFigure 5. The top 10 countries most targeted by Play ransomware threat actors (June 2022 - May 2023)\r\nSources: Play ransomware’s leak site and Trend’s OSINT research\r\nMost of Play ransomware’s victim organizations were small-sized businesses. However, a number of affected organizations\r\ndid not have their sizes specified.\r\nopen on a new tab\r\nFigure 6. The top 10 industries most targeted by Play ransomware threat actors (June 2022 - May 2023)\r\nSources: Play ransomware’s leak site and Trend’s OSINT research\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nPage 3 of 13\n\nopen on a new tab\r\nFigure 7. The distribution by organization size of Play ransomware’s victim organizations (June 2022 - May 2023)\r\nSources: Play ransomware’s leak site and Trend’s OSINT research\r\nInfection chain and techniques\r\nInitial Access\r\nThe actors behind Play ransomware usually achieve initial access by way of valid accounts – including virtual private\r\nnetwork (VPN) accounts, not just domain and local accounts – that have been reused across multiple platforms,\r\npreviously exposed, or obtained by illegal means. To establish a foothold into their targeted system, they also use\r\nexposed remote desktop protocol (RDP) servers.\r\nAdditionally, Play ransomware exploited two FortiOS vulnerabilities: CVE-2018-13379open on a new tab, a path\r\ntraversal vulnerability in the FortiOS SSL VPN web portal that allows an unauthenticated attacker to download OS\r\nsystem files through specially crafted HTTP resource requests; and CVE-2020-12812open on a new tab, an improper-authentication vulnerability in SSL VPN in FortiOS that allows a user to log in without being prompted for the\r\nsecond factor of authentication, FortiToken, if they changed the case of their username.\r\nPlay ransomware has also used new CVEs to gain initial access: These include ProxyNotShell (CVE-2022-\r\n41040open on a new tab), a server-side request forgery (SSRF) vulnerability that allows an authenticated attacker to\r\nremotely trigger the next vulnerability, CVE-2022-41082open on a new tab; OWASSRF (CVE-2022-41080open on a\r\nnew tab), a new exploit method for Microsoft Exchange Server after the patch for ProxyNotShell; and Microsoft\r\nExchange Server Remote Code Execution (CVE-2022-41082), a follow-up exploit to ProxyNotShell and OWASSRF\r\ndesigned to achieve RCE using the respective PowerShell endpoints of each vulnerability.\r\nPrivilege Escalation\r\nUsing Mimikatz, Play ransomware extracts high privileges credentials from memory, after which it adds accounts to\r\nprivileged groups, including the Domain Administrators group. It uses Windows Privilege Escalation Awesome\r\nScripts (WinPEAS), a script that searches for possible local privilege escalation paths, to perform vulnerability\r\nenumeration.\r\nDefense evasion\r\nPlay ransomware disables antimalware and monitoring solutions using tools like Process Hacker, GMER, IOBit,\r\nand PowerTool. It covers its tracks using the Windows built-in tool wevtutil or a batch script as a means of removing\r\nindicators of its presence, including logs in Windows Event Logs or malicious files.\r\nIn June, we also observed some Play attacks that specifically targeted Microsoft Defender by disabling its real-time\r\nmonitoring and antivirus protection capabilities. Through PowerShell or command prompt, it disables Micosoft\r\nDefender’s protection capabilities. The PowerShell scripts that Play ransomware uses, like Cobalt Strike beacons\r\n(Cobeacon) or Empire agents, are encrypted in Base64.\r\nDiscovery\r\nPlay ransomware’s actors gather more details about the Active Directory (AD) environment in the discovery phase of\r\ntheir attacks. We found that AD queries for remote systems were performed by different tools like ADFind, Microsoft\r\nNltest, Bloodhound. Grixba is also used to check for a list of security files and processes, among others. The\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nPage 4 of 13\n\nransomware operators also performed the enumeration of system information, such as hostnames, shares, and domain\r\ninformation.\r\nCredential Access\r\nPlay ransomware uses Mimikatz – a tool that can be dropped directly on the target host or executed as a module\r\nthrough a command-and-control (C\u0026C) application like Empire or Cobalt Strike – to dump credentials. The malware\r\nalso the Windows tool Task Manager as a means of dumping the Local Security Authority Subsystem Service\r\n(LSASS) process from memory. Another one of its discovery tools is the Grixba infostealer, which Play ransomware\r\nuses to check for a list of security files and processes, among others.\r\nLateral Movement\r\nPlay ransomware may use different tools to move laterally across a victim’s system:\r\nCobalt Strike SMB beacon, which is used as a C\u0026C beacon, a method of lateral movement, and a tool for\r\ndownloading and executing files\r\nSystemBC, a SOCKS5 proxy bot that serves as a backdoor with the ability to communicate over TOR, is used for\r\nbackdooring mechanisms\r\nEmpire, an open-source post-exploitation framework that’s used to conduct Play ransomware’s post-exploitation\r\nactivity\r\nMimikatz, which is used to dump credentials and gain domain administrator access on victim networks to conduct\r\nlateral movement \r\nExfiltration\r\nA victim’s data is often split into chunks instead of using whole files prior to exfiltration, which Play ransomware\r\nmay do so as to avoid triggering network data transfer. Play ransomware utilizes WinSCP, an SFTP client and FTP\r\nclient for Microsoft Windows. WinRAR is also used to compress the files in .RAR format for later exfiltration. A web\r\npage developed in PHP is used to receive the exfiltrated files.\r\nImpact\r\nAfter encrypting a file, Play adds the “.play” extension to that file. A ransom note titled ReadMe.txt is created in the\r\nhard drive root (C:). The ransom notes among all the cases we investigated contained an email address that followed\r\nthe same format: [seven random characters]@gmx[.]com. It also uses AlphaVSS to delete shadow copies, which\r\ndisables the victim machine’s System Restore capability.\r\nOther technical details\r\nPlay encrypts files with the following extensions:\r\n.$er\r\n.4dd\r\n.4dl\r\n.abcddb\r\n.abs\r\n.abx\r\n.ac\r\n.accdb\r\n.accdc\r\n.accde\r\n.accdr\r\n.accdt\r\n.accdw\r\n.accft\r\n.adb\r\n.ade\r\n.adf\r\n.adn\r\n.adp\r\n.alf\r\n.anb\r\n.aq\r\n.arc\r\n.ask\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nPage 5 of 13\n\n.bak\r\n.bcp\r\n.bdf\r\n.btr\r\n.cat\r\n.cdb\r\n.ckp\r\n.cma\r\n.cpd\r\n.crypt\r\n.crypt1\r\n.crypt10\r\n.crypt12\r\n.crypt14\r\n.crypt15\r\n.crypt5\r\n.crypt6\r\n.crypt7\r\n.crypt8\r\n.crypt9\r\n.dacpac\r\n.dad\r\n.daschema\r\n.dat\r\n.db\r\n.db-shm\r\n.db-wal\r\n.db2\r\n.db3\r\n.dbc\r\n.dbcrypt\r\n.dbcrypt8\r\n.dbf\r\n.dbs\r\n.dbt\r\n.dbv\r\n.dbx\r\n.dcb\r\n.dct\r\n.dcx\r\n.ddl\r\n.dlis\r\n.dp1\r\n.dqy\r\n.dsk\r\n.dsn\r\n.dtsx\r\n.dxl\r\n.eco\r\n.ecx\r\n.edb\r\n.epim\r\n.exb\r\n.fcd\r\n.fdb\r\n.fic\r\n.fm5\r\n.fmp\r\n.fmp12\r\n.fmpsl\r\n.fol\r\n.fp3\r\n.fp4\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nPage 6 of 13\n\n.fp5\r\n.fp7\r\n.fpt\r\n.frm\r\n.gdb\r\n.grdb\r\n.gwi\r\n.hdb\r\n.his\r\n.hjt\r\n.ib\r\n.ibd\r\n.icg\r\n.icr\r\n.idb\r\n.ihx\r\n.itdb\r\n.itw\r\n.jet\r\n.jtx\r\n.kdb\r\n.kexi\r\n.kexic\r\n.kexis\r\n.ldf\r\n.lgc\r\n.log1\r\n.luminar\r\n.lut\r\n.lwx\r\n.maf\r\n.maq\r\n.mar\r\n.mas\r\n.mav\r\n.maw\r\n.mdb\r\n.mdf\r\n.mdn\r\n.mdt\r\n.mpd\r\n.mrg\r\n.mud\r\n.mwb\r\n.myd\r\n.myi\r\n.ndf\r\n.ns2\r\n.ns3\r\n.ns4\r\n.nsf\r\n.nv\r\n.nv2\r\n.nwdb\r\n.nyf\r\n.odb\r\n.oqy\r\n.ora\r\n.orx\r\n.owc\r\n.p96\r\n.p97\r\n.pan\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nPage 7 of 13\n\n.pdb\r\n.pdm\r\n.pnz\r\n.qry\r\n.qvd\r\n.rbf\r\n.rctd\r\n.rod\r\n.rodx\r\n.rpd\r\n.rsd\r\n.sav\r\n.sbf\r\n.scx\r\n.sdb\r\n.sdc\r\n.sdf\r\n.sdy\r\n.sis\r\n.spq\r\n.sql\r\n.sqlite\r\n.sqlite3\r\n.sqlitedb\r\n.te\r\n.temx\r\n.tmd\r\n.tps\r\n.trc\r\n.trm\r\n.udb\r\n.udl\r\n.usr\r\n.v12\r\n.vis\r\n.vpd\r\n.vvv\r\n.wdb\r\n.wmdb\r\n.wrk\r\n.xdb\r\n.xld\r\n.xmlff\r\nAvoids the following directories/drive types:\r\nRAM Disk\r\nCD-ROM Drive\r\nIt avoids encrypting files with these strings in their file name:\r\nReadMe.txt\r\nbootmgr\r\nIt avoids encrypting files with the following extensions:\r\n.PLAY\r\n.exe\r\n.msi\r\n.dll\r\n.lnk\r\n.sys\r\nAn example of a dropped ransom note in a Play ransomware attack:\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nPage 8 of 13\n\nopen on a new tab\r\nFigure 10. Play ransomware’s dropped ransom note\r\nEncryption Method\r\nAES-RSA Hybrid Encryption\r\nHacktools\r\nCobalt Strike\r\nWebshells\r\nAdfind\r\nBatch Files\r\nSystemBC\r\nPowertool64\r\nPsexec\r\nMITRE tactics and techniques\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nPage 9 of 13\n\nInitial Access Execution Defense Evasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nCommand\r\nand\r\nControl\r\nExfiltration Impac\r\nT1190 -\r\nExploit\r\nPublic-Facing\r\nApplication\r\nHas been\r\nobserved to\r\nbe using\r\nseveral\r\nexploits as\r\npart of its\r\nentry vector:\r\n• FortiOS SSL\r\nVPN Exploits\r\n(CVE-2018-\r\n13379 and\r\nCVE-2020-\r\n12812)\r\n•\r\nProxyNotShell\r\n(CVE-2022-\r\n41040)\r\n• OWASSRF\r\n(CVE-2022-\r\n41080)\r\n• MS\r\nExchange\r\nServer\r\nRemote Code\r\nExecution\r\n(CVE-2022-\r\n41082)\r\nSome reports\r\nalso mention\r\narriving via\r\nspam mail\r\nT1059 -\r\nCommand\r\nand Scripting\r\nInterpreter\r\nUses several\r\nscripts like\r\nPowerShell\r\nand batch\r\nfiles as part\r\nof its\r\nexecution and\r\nother\r\nfunctionalities\r\nT1203 -\r\nExploitation\r\nfor Client\r\nExecution\r\nCombined\r\nwith some of\r\nthe exploits\r\nused as initial\r\naccess,\r\nanother\r\nexploit is used\r\nto download\r\nand execute\r\nother\r\ncomponents:\r\n• MS\r\nExchange\r\nServer\r\nRemote Code\r\nExecution\r\n(CVE-2022-\r\n41082)\r\nT1562 - Impair\r\nDefenses\r\nMakes use of third-party tools like\r\nGMER, Process\r\nHacker, PowerTool,\r\nand so on, to try and\r\ndisable antivirus-related services and\r\nprocesses like\r\nMicrosoft Defender\r\nT1140 -\r\nDeobfuscate/Decode\r\nFiles or Information\r\nMakes use of\r\nobfuscated codes\r\nand/or files to try\r\nand avoid detection\r\nor make it harder\r\nfor analysis\r\nT1070 - Indicator\r\nRemoval\r\nMay sometimes\r\ndelete itself or\r\ncomponents to avoid\r\nleaving indication of\r\ncompromise\r\nT1003 -\r\nOS\r\nCredential\r\nDumping\r\nT1552 -\r\nUnsecured\r\nCredentials\r\nMakes use\r\nof\r\nMimikatz\r\nto dump\r\ncredentials\r\nT1033 -\r\nSystem\r\nOwner/User\r\nDiscovery\r\nT1082 -\r\nSystem\r\nInformation\r\nDiscovery\r\nT1083 - File\r\nand\r\nDirectory\r\nDiscovery\r\nT1135 -\r\nNetwork\r\nShare\r\nDiscovery\r\nT1057 -\r\nProcess\r\nDiscovery\r\nT1007 -\r\nSystem\r\nService\r\nDiscovery\r\nUsing its\r\nremote\r\naccess tools\r\n(RATs)\r\nand/or the\r\nransomware\r\nbinary itself,\r\nPlay can\r\ndiscover\r\nseveral\r\nsystem\r\ninformation\r\nsuch as:\r\n• Users\r\n• OS\r\ninformation\r\n• Files and\r\ndirectory\r\n• Accessible\r\nsystem\r\nwithin the\r\ncompromised\r\nnetwork\r\n• Running\r\nprocesses\r\n• Running\r\nservices\r\nIt also uses\r\nthe Grixba\r\ninfostealer\r\nas a tool for\r\ndiscovery.\r\nT1021 -\r\nRemote\r\nServices:\r\nSMB/Windows\r\nAdmin Shares\r\nUpon\r\ndiscovery of\r\navailable\r\nnetwork\r\nshares, it can\r\nuse this to\r\ntraverse the\r\nnetwork via\r\nSMB\r\nT1071 -\r\nApplication\r\nLayer\r\nProtocol\r\nConnects\r\nto its C\u0026C\r\nserver via\r\ntypical\r\nprotocols,\r\nsuch as\r\nHTTP and\r\nHTTPS\r\nT1002 -\r\nData\r\nCompressed\r\nUses\r\narchiving\r\ntools like\r\nWinRar to\r\ncompress\r\nstolen data\r\nor files to\r\nprepare\r\nthese for\r\nexfiltration\r\nT1048 -\r\nExfiltration\r\nOver\r\nAlternative\r\nProtocol\r\nCan either\r\nexfiltrate\r\nvia its own\r\nC\u0026C server\r\nor makes\r\nuse of file\r\ntransfer\r\ntools like\r\nWinSCP\r\nT1486\r\nData\r\nEncryp\r\nfor Imp\r\nPlay\r\nransom\r\nuses\r\nintermi\r\nencryp\r\nand the\r\nhybrid\r\nRSA\r\nencryp\r\nmethod\r\nT1489\r\nService\r\nStop\r\nCan dis\r\nantiviru\r\nrelated\r\nservice\r\nT1490\r\nInhibit\r\nSystem\r\nRecove\r\nUses\r\nAlphaV\r\nto inhib\r\nsystem\r\nrecover\r\nSummary of malware, tools, and exploits used\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nPage 10 of 13\n\nSecurity teams should keep an eye out for the presence of these malware tools and exploits that are typically used in Play’s\r\nransomware attacks:\r\nInitial Access Execution Discovery\r\nCredential\r\nAccess\r\nLateral\r\nMovement\r\nDefense Evasion Exfiltration\r\nFortiOS SSL\r\nVPN Exploits\r\n(CVE-2018-\r\n13379 and\r\nCVE-2020-\r\n12812)\r\nCobeacon Adfind Mimikatz Cobeacon GMER WinRAR\r\nProxyNotShell\r\n(CVE-2022-\r\n41040)\r\nSystemBC Bloodhound PsExec IOBit WinSCP\r\nOWASSRF\r\n(CVE-2022-\r\n41080)\r\nGrixba\r\nPowerShell\r\nEmpire\r\nProcess\r\nHacker\r\nMS Exchange\r\nServer\r\nRemote Code\r\nExecution\r\n(CVE-2022-\r\n41082)\r\nNetscan RDP PowerTool\r\nNlTest\r\nSecurity Recommendations\r\n\u003c\r\nOur analysis of Play ransomware underscores the great strides modern threat actors have since taken to design attacks that\r\nare better equipped to go under the radar and avoid detection. In light of this, organizations should stay vigilant of\r\nransomware actors that have turned to red-team or penetration-testing tools as a means of camouflaging their presence when\r\ninfiltrating their targeted systems.\r\nIn defending systems against threats like Play ransomware, organizations can benefit from establishing security frameworks\r\nthat can allocate resources systematically for establishing solid defenses against ransomware. Here are some best practices\r\nthat can be included in these frameworks:\r\nAudit and inventory\r\nTake an inventory of assets and data.\r\nIdentify authorized and unauthorized devices and software.\r\nMake an audit of event and incident logs.\r\nConfigure and monitor\r\nManage hardware and software configurations.\r\nGrant admin privileges and access only when necessary to an employee’s role.\r\nMonitor network ports, protocols, and services.\r\nActivate security configurations on network infrastructure devices such as firewalls and routers.\r\nEstablish a software allowlist that executes only legitimate applications.\r\nPatch and update\r\nConduct regular vulnerability assessments.\r\nPerform patching or virtual patching for operating systems and applications.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nPage 11 of 13\n\nUpdate software and applications to their latest versions.\r\nProtect and recover\r\nImplement data protection, backup, and recovery measures.\r\nEnable multifactor authentication (MFA).\r\nSecure and defend\r\nEmploy sandbox analysis to block malicious emails.\r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and\r\nnetwork.\r\nDetect early signs of an attack such as the presence of suspicious tools in the system.\r\nUse advanced detection technologies such as those powered by AI and machine learning.\r\nTrain and test\r\nRegularly train and assess employees on security skills.\r\nConduct red-team exercises and penetration tests.\r\nA multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and\r\nnetwork). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.\r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, which helps block\r\nquestionable behavior and tools early on before the ransomware can do irreversible damage to the system.\r\nTrend Micro Cloud One™products Workload Security protects systems against both known and unknown threats that\r\nexploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine\r\nlearning.\r\nTrend Micro™ Deep Discovery™products Email Inspector employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.\r\nTrend Micro Apex One™products offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\nIndicators of Compromise (IOCs)\r\nTrend Micro Vision One Hunting Query\r\nTrend Vision One customers can use the following hunting query to check for the presence of Play Ransomware in\r\nendpoints:\r\n• fullPath:(\"*.play\" OR \"*\\\\ReadMe.txt\")\r\n• malName:(*PLAYDE* OR *PLAYCRYPT*)\r\nCustomers can also hunt for ransomware or component binaries in specific locations using this query:\r\n• FileFullPath:(Music OR Perflogs OR LocalTemp) AND eventSubId:101 AND FileFullPath:.exe\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nPage 12 of 13\n\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play\r\nPage 13 of 13\n\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play   \nAzure Control Plane Threat Detection With TrendAI Vision One™news article\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\nRansomware Spotlight: DragonForcenews article \nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\nSource: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play   \n  Page 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play"
	],
	"report_names": [
		"ransomware-spotlight-play"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434312,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f54c19b03f72312d5b32ad922a2aa888f7d8843.pdf",
		"text": "https://archive.orkl.eu/5f54c19b03f72312d5b32ad922a2aa888f7d8843.txt",
		"img": "https://archive.orkl.eu/5f54c19b03f72312d5b32ad922a2aa888f7d8843.jpg"
	}
}