{ "id": "231eddcd-145a-4709-b69a-2638d68609b5", "created_at": "2026-04-06T00:08:00.568366Z", "updated_at": "2026-04-10T13:11:59.39839Z", "deleted_at": null, "sha1_hash": "a2bd728eb55aa5cddbc6d50b04e70df9ca81824b", "title": "PlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers - N-able", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 286414, "plain_text": "PlayCrypt Ransomware-as-a-Service Expands Threat from Script\r\nKiddies and Sophisticated Attackers - N-able\r\nBy N-able\r\nPublished: 2023-11-21 · Archived: 2026-04-02 12:34:42 UTC\r\nPlay, also known as “PlayCrypt,” was discovered last summer disrupting government agencies in Latin America. \r\nMonths later threat actors began using it for targets in the U.S. and Europe. Play, like most ransomware today,\r\nemploys double-extortion tactics, stealing victim data before encrypting their networks.\r\nSince August, the Adlumin MDR team has tracked separate Play ransomware attacks in different industries. In the\r\nattacks we observed, threat actors used the same tactics, techniques, and procedures (TTP) and followed\r\nthe same order of steps — almost identically. Furthermore, the indicators of compromise (IOCs) for both\r\nincidents were almost indistinguishable.\r\nOne of those IOCs includes threat actors using the public music folder (C:\\…\\public\\music) to hide malicious\r\nfiles. Another was using almost the same password to create high privilege accounts. And, in both attacks, many\r\nof the same commands were observed.\r\nThis high level of consistency in methods used by threat actors is telling. First, it highly suggests reliance on\r\nplaybooks or step-by-step instructions supplied with RaaS kits. And second, the targeted victims shared a common\r\nprofile; they were smaller organizations that possessed the financial capacity to entertain ransoms reaching or\r\nexceeding $1 million.\r\nThe RaaS Kit Market\r\nPurchasing RaaS kits is not difficult, it simply requires a TOR connection and membership to the right dark net\r\nforum or market. Once there, a highly experienced threat actor, or even a “script kiddie,” can browse RaaS\r\nadvertisements.\r\nBelow are two ads that we acquired from RaaS operators peddling their products in the dark web.\r\nhttps://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/\r\nPage 1 of 7\n\nOther ransomware ads obtained included those that offered “set-up assistance” “for as low was $200,” and those\r\nwith “no fees.” Our team also observed advertisements offering full builds from $300 to $1100 “ready for\r\ndeployment.”\r\nOne of the ads described the malware being offered as using “many cutting-edge evasion techniques including\r\nproprietary methods.”\r\nAnd in some ads, RaaS operators boasted having ransomware kits for targeting MacOS systems.\r\n“We have developed a new MacOS ransomware as we noticed a lack of it,” the ad read.\r\nAt least one post, stated that the ransomware for sale was what “the cool kids are using,” alluding that someone\r\ndoesn’t have to be “cool” – or perhaps, highly skilled – to purchase and use it.\r\nEasy Enough for a Script Kiddie\r\nScript kiddies are individuals who possess fundamental hacking skills and the knowledge to deploy and execute\r\nexploits written by experienced threat actors. They’re able to learn new skills easily and eventually, often become\r\n“real hackers” themselves.\r\nSince 2015, researchers have written about the ability script kiddies have for deploying ransomware and\r\noften working side-by-side with well-known threat actor organizations.\r\nIn March 2022, police in the UK arrested members of the Lapsus$ cybercriminal group known for targeting tech\r\ncompanies such as Okta, Nvidia, Samsung, and Microsoft. The raid included the arrest of teenagers and young\r\nadults with ages ranging from 13 to 21, according to the BBC.  It’s not clear, however, if the youngsters were\r\nscript kiddies simply due to their age.\r\nWith enough documentation and technical support – and with generative AI tools now being able to assist them as\r\nwell – a script kiddie can be more than capable of carrying out an attack. However, attacks by these less-skilled\r\nhttps://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/\r\nPage 2 of 7\n\nindividuals often include a higher degree of basic mistakes that make them easier for an organization with capable\r\ncybersecurity operation to stop.\r\nFor example, we have observed ransomware attacks foiled by the Adlumin Security Operations Platform or the\r\nAdlumin MDR Team during an attack’s early stages. In some cases, threat actors don’t even get the chance to\r\nencrypt files. There are also incidents where SOAR actions within the Adlumin platform disable accounts\r\ncreated by threat actors, effectively locking them out from the network. Sometimes attacks are carried out,\r\nbut no data is exfiltrated.  \r\nMoney to be Made\r\nRansomware attacks are very lucrative, especially since 73% of companies attacked pay the ransom. And with\r\ndouble extortion becoming the norm, organizations that don’t pay are publicly shamed by RaaS operators on the\r\nclear or dark web.\r\nFor script kiddies of any age, ransomware may seem like a great way to make a living and become rich quickly.\r\nAlso, with high unemployment rates in many countries in Latin America and other parts of the world, cybercrime\r\nmay be seductive for underemployed or poorly paid computer programmers, or people in similar\r\ncareers. According to DevelopmentAid.org, “[Poor countries] serve as training grounds for criminal groups in\r\npreparation for more ambitious attacks in developed countries.”\r\nWhen RaaS operators advertise ransomware kits that come with everything a hacker will need, including\r\ndocumentation, forums, technical support, and ransom negotiation support, script kiddies will be tempted\r\nto try their luck and put their skills to use. And since there are probably more script kiddies than “real\r\nhackers” today, businesses and authorities should take note and prepare for a growing wave of incidents.\r\nBreadcrumbs\r\nIOCs, such as malicious IP addresses, domains, TOR addresses, emails, hashes, executables, and others\r\ndiscovered from an attack can be very useful to analysts, researchers, and law enforcement. They serve as clues to\r\nhelp put together what transpired during the incident and how. They can also offer some insight about the level of\r\nsophistication of the attackers.\r\nWhen threat actors follow RaaS-provided playbooks, they will likely adhere to them closely on the first few\r\nattacks. They’ll make mistakes, and if those mistakes are big enough, they could serve as breadcrumbs for the\r\nauthorities to follow.\r\nAnything an attacker does in a network can help authorities if they are contacted after an incident. This is why\r\ninvestigators request that victims share any IOCs that could help with their investigations. Even if a business pays\r\nthe ransom, details like Bitcoin or Monero addresses and transaction IDs, communication or chat logs with threat\r\nactors, the decryptor file, and a sample of an encrypted file can be very useful.\r\nIf a newbie or script kiddie isn’t meticulous with their work, the FBI could soon be knocking on their door.\r\nConclusion\r\nhttps://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/\r\nPage 3 of 7\n\nRansomware attacks continue to be among the most prevalent cyber threats and increased by 37% in 2023.\r\nCompanies should expect more ransomware attacks in the future, not less. And if more novice attackers are\r\nfinding that ransomware attacks can be carried out easily with the help and support provided by RaaS\r\noperators, they’ll continue to frequent dark net forums to join the most inviting ransomware affiliate\r\ngroup.\r\nAt the same time, novice attackers are more likely to make mistakes since they are not as experienced, potentially\r\nleaving behind significant IOCs that the authorities can use to help track and apprehend them.\r\nThe Adlumin MDR Team will continue to monitor and stop ransomware attacks carried out by newbies and\r\nexperts alike. Our security operations platform’s SOAR actions have been successful at foiling these attacks in\r\ntheir early stages, stopping cybercriminals on their tracks.\r\nFurthermore, we offer Total Ransomware Defense (TRD), a service specifically designed to detect ransomware\r\nactivity and stop it. In the unfortunate case that files are encrypted, TRD is able to generate decryption keys to\r\nrestore systems and networks.\r\nIndicators of Compromise (IOCs)\r\n Usernames\r\nadmon\r\ndaksj\r\nadmin\r\nObjects\r\nexe\r\nzip.json.PLAY\r\nexe\r\nexe\r\nPLAY\r\nexe\r\nini.PLAY\r\naut\r\nomaticDestinations-PLAY\r\nexe\r\njson.PLAY\r\ncdp.PLAY\r\nHeartBea\r\nupdatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.PLAY\r\nexe\r\ncookie.PLAY\r\njs.PLAY\r\nhttps://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/\r\nPage 4 of 7\n\nexe\r\nPaths\r\nC:\\\\Users\\\\Public\\\\Music\r\n\\\\Device\\\\HarddiskVolume3\\\\CollectGuestLogsTemp\r\nHash: null\r\nC:\\\\Users\\\\Public\\\\Music\r\nHash:\r\nb042bc03144919c0fed9d60c1f68eb04ed7\r\n2c2f6\r\nC:\\\\windows\r\nHash:\r\n51d3d661774cc50bb22e62beafc4bc6029d\r\nf2392\r\n\\\\Device\\\\HarddiskVolume2\\\\Users\\\\it.ad\r\nmin\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\\r\nUser Data\\\\Default\\\\Cache\\\\Cache_Data\r\nHash: null\r\nC:\\\\Windows\r\nHash:\r\n51d3d661774cc50bb22e62beafc4bc6029d\r\nf2392\r\n\\\\Device\\\\Mup\\\\10.20.0.15\\\\C$\\\\$Recycl\r\ne.Bin\\\\S-1-5-21-3568089881-786281157-\r\n4253494709-1103\r\nHash: null\r\n\\\\Device\\\\HarddiskVolume2\\\\Users\\\\AAD\r\nhttps://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/\r\nPage 5 of 7\n\n_00864e0326c2\\\\AppData\\\\Roaming\\\\Mi\r\ncrosoft\\\\Windows\\\\Recent\\\\AutomaticDe\r\nstinations\r\nHash: null\r\nC:\\\\Users\\\\Public\\\\Music\r\nHash:\r\nb042bc03144919c0fed9d60c1f68eb04ed7\r\n2c2f6\r\n\\\\Device\\\\Mup\\\\10.20.0.15\\\\C$\\\\Users\\\\\r\nadministrator\\\\AppData\\\\Local\\\\ConnectedDevicesPlatform\r\nHash: null\r\n\\\\Device\\\\Mup\\\\10.20.0.15\\\\C$\\\\Package\r\ns\\\\Plugins\\\\Microsoft.EnterpriseCloud.Mo\r\nnitoring.MicrosoftMonitoringAgent\\\\1.0.1\r\n8067.0\\\\Status\r\nHash: null\r\n\\\\Device\\\\HarddiskVolume2\\\\ProgramDat\r\na\\\\USOPrivate\\\\UpdateStore\r\nHash: null\r\nC:\\\\Users\\\\Public\\\\Music\r\nHash:\r\nb042bc03144919c0fed9d60c1f68eb04ed7\r\n2c2f6\r\n\\\\Device\\\\HarddiskVolume2\\\\Users\\\\it.ad\r\nmin\\\\AppData\\\\Local\\\\Microsoft\\\\Windo\r\nws\\\\INetCookies\r\nhttps://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/\r\nPage 6 of 7\n\nHash: null\r\n\\\\Device\\\\HarddiskVolume4\\\\Program\r\nFiles\\\\Microsoft Monitoring\r\nAgent\\\\Agent\\\\APMDOTNETCollector\\\\W\r\neb\\\\Scripts\\\\V7.0\\\\js\r\nHash: null\r\nC:\\\\PerfLogs\r\nHash:\r\nb042bc03144919c0fed9d60c1f68eb04ed7\r\n2c2f6\r\n© 2026 N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.\r\nThis document is provided for informational purposes only and should not be relied upon as legal advice. N‑able\r\nmakes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy,\r\ncompleteness, or usefulness of any information contained herein.\r\nThe N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able\r\nSolutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending\r\nregistration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned\r\nherein are used for identification purposes only and are trademarks (and may be registered trademarks) of their\r\nrespective companies.\r\nSource: https://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/\r\nhttps://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://adlumin.com/post/playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers/" ], "report_names": [ "playcrypt-ransomware-as-a-service-expands-threat-from-script-kiddies-and-sophisticated-attackers" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434080, "ts_updated_at": 1775826719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2bd728eb55aa5cddbc6d50b04e70df9ca81824b.pdf", "text": "https://archive.orkl.eu/a2bd728eb55aa5cddbc6d50b04e70df9ca81824b.txt", "img": "https://archive.orkl.eu/a2bd728eb55aa5cddbc6d50b04e70df9ca81824b.jpg" } }