{
	"id": "8bf9937c-7769-4760-91d0-6813201b4cc0",
	"created_at": "2026-04-06T00:07:58.781584Z",
	"updated_at": "2026-04-10T13:11:34.755966Z",
	"deleted_at": null,
	"sha1_hash": "a0aa19d228ac1db93a2e0bbe2502ad6063b11627",
	"title": "PLAY Ransomware Group Gains Access via Citrix Bleed Vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 284190,
	"plain_text": "PLAY Ransomware Group Gains Access via Citrix Bleed\r\nVulnerability\r\nBy George Glass, Laurie Lacono, Keith Wojcieszek\r\nPublished: 2024-06-11 · Archived: 2026-04-05 14:46:45 UTC\r\nIn November 2023, the Cybersecurity \u0026 Infrastructure Security Agency (CISA) published guidance for addressing\r\nvulnerability CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway. This vulnerability is also\r\nknown as Citrix Bleed.\r\nAccording to CISA: “The affected products contain a buffer overflow vulnerability that allows for sensitive\r\ninformation disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or\r\nAAA virtual server. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication\r\nare not impacted. Exploitation of this vulnerability could allow for the disclosure of sensitive information,\r\nincluding session authentication token information that may allow a threat actor to “hijack” a user’s session.”\r\nThe vulnerability has been widely exploited by many types of attackers, including the PLAY Ransomware group,\r\nas shown in the case we investigate below.\r\nPLAY Ransomware: The “Double Extortion” Group\r\nPLAY Ransomware, also known as PLAY or PlayCrypt, is a ransomware-as-a-service (RaaS) group first observed\r\nin June 2022. The group both encrypts and exfiltrates victim data to demand a “double extortion” ransom to: (1)\r\nreceive a decryption tool and (2) avoid data publication on its dark web data leak site. The group is known to\r\nprimarily target small-to-medium sized organizations, managed service providers (MSPs) and government entities.\r\nKroll’s analysis has found that, of the group’s known victims, PLAY heavily focuses on entities in North America\r\n(60%) and Europe (33%).\r\nhttps://www.kroll.com/en/insights/publications/cyber/play-ransomware-gains-access-citrix-bleed-vulnerability\r\nPage 1 of 3\n\nPlay Ransom Note – ReadMe.txt\r\nIndustries Targeted by PLAY Group\r\nPLAY is known to use intermittent or “partial” encryption on files to render the data unusable. Rather than\r\nencrypting entire files, PLAY targets only specific data segments of each processed file. This allows for faster\r\nhttps://www.kroll.com/en/insights/publications/cyber/play-ransomware-gains-access-citrix-bleed-vulnerability\r\nPage 2 of 3\n\noverall encryption and can decrease the detection rate of antivirus software using static analysis to detect\r\nransomware infections.\r\nUsing Citrix Bleed Vulnerability to Target a Professional Services Firm\r\nThe following infographic illustrates activities observed by Kroll’s Cyber Threat Intelligence (CTI) team\r\nfollowing a four-day period after PLAY used the Citrix Bleed vulnerability to gain access to a professional\r\nservices firm. Once inside the network, the threat actor conducted internal scouting to discover and enumerate\r\ndomain accounts, trusted domains, permission groups and remote systems.\r\nSource: https://www.kroll.com/en/insights/publications/cyber/play-ransomware-gains-access-citrix-bleed-vulnerability\r\nhttps://www.kroll.com/en/insights/publications/cyber/play-ransomware-gains-access-citrix-bleed-vulnerability\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/cyber/play-ransomware-gains-access-citrix-bleed-vulnerability"
	],
	"report_names": [
		"play-ransomware-gains-access-citrix-bleed-vulnerability"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434078,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0aa19d228ac1db93a2e0bbe2502ad6063b11627.pdf",
		"text": "https://archive.orkl.eu/a0aa19d228ac1db93a2e0bbe2502ad6063b11627.txt",
		"img": "https://archive.orkl.eu/a0aa19d228ac1db93a2e0bbe2502ad6063b11627.jpg"
	}
}