{ "id": "195297da-23a5-4ff7-b00b-9ff78c6b19f6", "created_at": "2026-04-06T01:29:48.180119Z", "updated_at": "2026-04-10T03:31:13.112247Z", "deleted_at": null, "sha1_hash": "827476d9bd154ab15348309230ffee36ec6dca39", "title": "PLAYing the game", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2077163, "plain_text": "PLAYing the game\r\nPublished: 2022-12-28 · Archived: 2026-04-06 01:11:36 UTC\r\nSearch\r\nSearch\r\n28 December 2022\r\nIn our recently published Security Navigator report we highlight the fact that ransomware operations involving\r\ndata encryption have been increasingly coupled with extortion tactics from threat actors to further pressure victim\r\norganizations into paying ransoms. This is what we term cyber-extortion (Cy-X). This trend is key when looking\r\nat the current threat landscape. Indeed, most of the currently active ransomware operations perform double-extortion (or even triple-extortion), for instance threatening to leak stolen information on the Dark Web or to sell it\r\nto the highest bidder if the ransom is not paid or launching DDoS attacks against the same victim.\r\nExtortion in itself has thus arisen to a point where encryption is not always necessary: it is equally lucrative to\r\nhack and leak an organization. This shift in cybercrime operations partially results from the overall improvement\r\nby organizations of their backup strategies in order to better prevent ransomware attacks, leading some threat\r\nactors to now only perform this type of operations. This is for instance the case of groups such as Karakurt,\r\nRansomHouse or Silent Ransom…\r\nDouble extortion is all the more problematic as leaked information can facilitate further compromises from other\r\nthreat groups. These leaks feed the ongoing data trade within underground marketplaces and cybercriminal\r\nforums.\r\nhttps://www.orangecyberdefense.com/global/blog/playing-the-game\r\nPage 1 of 7\n\nUntil the fundamental systemic factors that enable this form of crimes are addressed, we should expect to see\r\ncriminals continuing to adapt and test new pressure tactics to rush victims into paying exorbitant ransoms. We\r\ncontinue to see Cy-X groups come and go, primarily because of how lucrative these extortion operations appear to\r\nbe, along with their apparent ease of execution and supposed anonymity. Even if law enforcement agencies\r\nsometimes succeed in identifying and arresting members of these clusters, this often leads to groups disbanding,\r\nrebranding and updating their tactics to further avoid detection.\r\nThis leads us nicely to a new ransomware group known as PLAY, which leverages double extortion through its\r\nown leak site.\r\nWe first notified customers of the threat presented by PLAY in a CERT ‘World Watch’ advisory published in early\r\nSeptember 2022 (https://portal.cert.orangecyberdefense.com/worldwatch/570462 for registered users).\r\n“Trend Micro researchers detailed in a recent report a new ransomware, which adds the .play extension\r\nafter encrypting files and drops a ransom note containing only the word \"PLAY\" along with an email\r\naddress to contact the group. The first reports of this ransomware's activity date from June 2022, when a\r\nvictim asked for help in the Bleeping Computer forums. In July, Trend Micro researchers investigated a\r\nlarge number of attacks in quick succession in the Latin American region targeting government entities.\r\nFor initial access, the threat actor has been known to use compromised valid accounts or exploit\r\nunpatched Fortinet SSL VPN vulnerabilities. The ransomware group uses living-off-the-land binaries\r\n(LOLBins) as part of its attacks, such as WinSCP for data exfiltration and Task Manager for LSASS\r\ndumping. They use double extortion techniques, compressing the victim's files with WinRAR and\r\nuploading it to file sharing sites. The ransomware is then distributed via GPO and run using scheduled\r\ntasks, PsExec or wmic….”\r\nThe threat cluster behind PLAY is yet to be extensively covered by security researchers. Trend Micro was the first\r\nvendor to publicly document this threat actor in a report[1] published in September 2022, where they provided\r\nanalysis following investigations into attacks carried out in July. Based on their analysis they believed that PLAY\r\nwas the successor of Hive, a notorious ransomware active since 2021. It also shares some overlaps with\r\nNokoyawa, yet another ransomware operation. However, there is nothing concrete that allows us to assess with\r\nhigh confidence whether PLAY is definitely a successor of one of these two ransomware families.\r\nhttps://www.orangecyberdefense.com/global/blog/playing-the-game\r\nPage 2 of 7\n\nIn early September, security researcher Chuong Dong also published a technical analysis of the ransomware being\r\nused by PLAY, focusing mostly on its anti-analysis and encryption features. In his blog post[2] he states that PLAY\r\nis heavily obfuscated with a lot of unique tricks that have not been used by any other ransomware.\r\nOne of the first victim was the French ITS Group, who disclosed the breach via their website:\r\nSince November  2022, our CERT started investigating a surge in PLAY compromises.\r\nRecently our friends at CrowdStrike reported the exploit dubbed OWASSRF while investigating Play ransomware\r\nattacks, where compromised Microsoft Exchange servers were used to infiltrate the victims' networks. OWASSRF\r\nis a chaining of CVE-2022-41080 and CVE-2022-41082. PLAY has also been reported to exploit ‘ProxyNotShell’\r\n(CVE-2022-41040), but CrowdStrike found that the flaw abused by a newly discovered exploit is likely CVE-https://www.orangecyberdefense.com/global/blog/playing-the-game\r\nPage 3 of 7\n\n2022-41080, a security flaw that allows remote privilege escalation on Exchange servers\r\n[1]\r\n which Microsoft\r\ntagged as critical but not exploited in the wild when patching it last November.\r\nWe searched for these three vulnerabilities in a significantly sized sample of our Vulnerability Scanning\r\nclients and only found occurrences at 2.5% of the clients we examined. Only CVE-2022-41040 and CVE-2022-41082 were found together at the same client, and we found that occurence only once.\r\nThis of course does not reduce the significance of these vulnerabilities, which are clearly being exploited in the\r\nwild, but it is encouraging to see that they are apparently being successfully fixed by most of our client base.\r\nIn a recent, common practice amongst other Cy-X groups, PLAY ransomware recently published a website,\r\naccessible only through Tor, where the group is disclosing details about victims and leaking stolen data if the\r\nvictim doesn't pay the ransom. The ransom note left by PLAY used to be very blunt and specific to the victim with\r\nonly an email address to contact the threat group. Usually though, ransomware operators take the time to explain\r\nto the victim how to acquire the requested cryptocurrency and threaten retaliation if they contact recovery\r\ncompanies or law enforcement. This guidance is nevertheless being provided by PLAY in the FAQ section of this\r\nnewly published data leak site. The group behind PLAY are also following a recent trend among ransomware\r\noperators whereby they apply additional pressure on victims during negotiations by initially obfuscating the\r\nvictim's name on the leak site, thus giving them an opportunity to pay in order to prevent their full name from\r\nbeing released publicly.\r\nThe ‘added’ date on the leak below is deceiving, because PLAY actually carried out this compromise before the\r\nlaunch of their site. The compromise likely dated back to September.\r\nUnsurprisingly, our Computer Incident Responses Teams (CSIRT) has encountered this threat group in three\r\ndifferent cases in the last month.\r\nhttps://www.orangecyberdefense.com/global/blog/playing-the-game\r\nPage 4 of 7\n\nWe held a call with one infected customer at 09h00 the morning after their systems were encrypted in November.\r\nInvestigations commenced immediately and by 12h20 our team was processing evidence.\r\nThe customer in question is not a large business. The initial point of entry appeared to be VPN access using\r\nlegitimate credentials, and the ransomware deployment and encryption had taken place over the course of just one\r\nday. On some machines malware was deployed and triggered manually via RDP, on others it was via PSExec.\r\nAlmost the entire environment was encrypted. Onsite backups were either encrypted or destroyed. Fortunately for\r\nthis victim, a set off reliable off-site backups allowed us to recover most of the data and systems. Unfortunately\r\nfor this victim, several hundred gigabytes of data were published on the PLAY data leak site.\r\nOur CSIRT worked over a period of 8 days to assist and proceed to identify, track and contain the compromise. A\r\nmalware sample that proved to be PLAY was discovered early on, and forwarded to our CERT (Computer\r\nEmergency Response Team) to identify the strain and capabilities of the code, using the sandbox described below.\r\nOur experience across these cases leads us to suspect that we are dealing with a separate PLAY affiliate, perhaps\r\nspecializing in Europe. The IoC and TTPs identified in all three cases overlap considerably, and in two other cases\r\nin France we’re aware of (but didn’t work on directly) we believe the sample of the remote access tool ‘systemBC’\r\nrecovered was identical. Yet none of the intelligence we collected from the three cases we’ve worked on so far\r\noverlaps with intelligence we’ve received from third parties working on cases elsewhere.\r\nSome of this infrastructure is still active and located in Europe, so some IoCs can be share only once French or\r\nEuropean law enforcement have been involved properly. Some are nevertheless provided at the end of this report.\r\nThe first step for our Reverse Engineers was to determine the malware family, easily obtainable with the .play\r\nencrypted extension.\r\nThe suspicious executable found on the system was detonated in our proprietary ‘P2A’ Sandbox to discover the\r\nattributes and behaviors of the file. We confirmed the family thanks to a custom ‘YARA’ rule stemming from our\r\nWorld Watch advisory and automatically embedded in P2A. This rule can be used to search for PLAY files\r\nelsewhere in ‘live’ environments. As a reminder, YARA is an open-source tool designed to help malware\r\nresearchers identify and classify malware samples. It makes it possible to create descriptions (or rules) for\r\nmalware families based on textual and/or binary patterns.\r\nhttps://www.orangecyberdefense.com/global/blog/playing-the-game\r\nPage 5 of 7\n\nOur SaaS file analysis sandbox, P2A, can be used to easily confirm whether suspicious files belong to one\r\nmalware family. Fortunately, our sandbox allows for any analysis to be shared publicly, so you can view this\r\noutput directly here: p2a.cert.orangecyberdefense.com/analysis/111551/publicshared/HMD8BYOHA7AEXAYL\r\nThe YARA rule we created then triggered an alert on VirusTotal’s ‘LiveHunt’ service\r\n(https://support.virustotal.com/hc/en-us/articles/360001315437-Livehunt#h_b063a6e6-6de5-4aea-ab55-\r\n9d8ea46fbeb0). Livehunt allows you to hook into the stream of files analyzed by VirusTotal and get notified\r\nwhenever one of them matches a certain rule written in the YARA language. By applying YARA rules to the files\r\nanalyzed by VirusTotal we are able to get a constant flow of malware samples of this family, including ones not\r\ndetected by antivirus engines. The match against our rule from LiveHunt confirmed our initial assessment that we\r\nwere dealing with PLAY.\r\nhttps://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/\r\nSamples of the malware incorporate an obfuscation technique known as \"Return Oriented Programming\" (ROP)\r\nand garbage code insertion to make analysis more difficult. Other techniques used by PLAY ransomware include\r\nstring obfuscation and import hashing using the xxhash32 algorithm. It is highly likely that these obfuscation\r\ntechniques have been recently added to the malware but the code itself remains the same.\r\nFollowing on from the three cases our CSIRT is  engaged in, our Threat Intelligence teams will soon publish an\r\nupdate of our World Watch advisory outlining PLAY’s recent activity.\r\nhttps://www.orangecyberdefense.com/global/blog/playing-the-game\r\nPage 6 of 7\n\nFurthermore, our CERT has also now made publicly available a subset of the PLAY ransomware IoCs contained\r\nin our Datalake Threat Intelligence database[3] (available as a SaaS service named Managed Threat Intelligence-detect). As with our P2A sandbox, we are able to share outputs from our database directly with our community,\r\nand made these IoCs available for you here (updated once per day only):\r\ndatalake.cert.orangecyberdefense.com/api/v2/mrti/public/export-html/\r\nThese IoCs are used automatically by our Managed Threat Detection services. You can add them also in your\r\nsecurity detection solutions (SIEM, NDR, EDR, etc.), in order to alert your SOC team. Orange Cyberdefense can\r\norchestrate for you the automatic feeding of such network-related IOCs in your security protection equipments\r\n(i.e. in various NGFW) using our \"Managed Threat Intelligence - protect\" service. \r\nSource: https://www.orangecyberdefense.com/global/blog/playing-the-game\r\nhttps://www.orangecyberdefense.com/global/blog/playing-the-game\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.orangecyberdefense.com/global/blog/playing-the-game" ], "report_names": [ "playing-the-game" ], "threat_actors": [ { "id": "d87fb380-03db-447c-a560-33e1b6e70e87", "created_at": "2025-05-29T02:00:03.231385Z", "updated_at": "2026-04-10T02:00:03.881295Z", "deleted_at": null, "main_name": "Luna Moth", "aliases": [ "Silent Ransom", "TG2729" ], "source_name": "MISPGALAXY:Luna Moth", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "921cea27-4410-42e4-8c11-7d40ba313225", "created_at": "2023-01-06T13:46:39.375789Z", "updated_at": "2026-04-10T02:00:03.307063Z", "deleted_at": null, "main_name": "RansomHouse", "aliases": [], "source_name": "MISPGALAXY:RansomHouse", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775438988, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/827476d9bd154ab15348309230ffee36ec6dca39.pdf", "text": "https://archive.orkl.eu/827476d9bd154ab15348309230ffee36ec6dca39.txt", "img": "https://archive.orkl.eu/827476d9bd154ab15348309230ffee36ec6dca39.jpg" } }