>samit_hota
Back to adversary profiles
G1040CriticalActive

Play Ransomware (G1040) Threat Profile: Evolving Tactics and Global Impact

Samit Hota·
Suspected Origin
Unknown
Motivation
Financial Gain
Aliases
None documented
Target Sectors
Business, Government, Critical Infrastructure, Healthcare, Media, IT, Transportation, Construction, Telecommunications, Finance, Manufacturing, Education, Professional Services, Real Estate, Retail
Associated Malware
Playcrypt, Grixba, Cobalt Strike, SystemBC, Mimikatz, PsExec, AdFind, WinRAR, WinSCP, GMER, IOBit, PowerTool, Process Hacker, AnyDesk, NetScan, Advanced IP Scanner, Empire, Microsoft Nltest, Bloodhound, WinPEAS, AlphaVSS, Wevtutil, Sliver
#threat-actor#g1040

Overview

The Play ransomware group, tracked as G1040 and also known by its proprietary ransomware variant “Playcrypt” or the alias “Balloonfly,” has rapidly established itself as a significant and persistent threat in the global cyber landscape since its emergence in June 2022. This group operates under a double-extortion model, prioritizing not only the encryption of victim systems but also the exfiltration of sensitive data, which they leverage on their dark web leak site to pressure organizations into paying substantial ransoms. Initial analysis indicated Play operated as a closed group, maintaining tight control over its operations to ensure the secrecy of negotiations and avoid a Ransomware-as-a-Service (RaaS) model. However, recent intelligence suggests a potential shift or willingness to collaborate, with a North Korean state-sponsored threat group, Jumpy Pisces, potentially acting as an initial access broker (IAB) or affiliate.

Play’s primary motivation is unequivocally financial gain. They cast a wide net geographically, impacting organizations across North America, South America, Europe, and Australia. While they have notably targeted the United States, Germany, France, and Portugal, their operations span numerous high-value sectors. Play shows little discrimination in terms of organizational size, targeting both large enterprises and smaller businesses, particularly those within critical infrastructure, government, healthcare, telecommunications, IT, manufacturing, and finance. Interestingly, observations have noted a lack of attacks in post-Soviet countries, though the reason remains unconfirmed. The group also strategically targets organizations believed to hold cyber insurance, seeking to maximize their illicit profits.

The precise country of origin for the Play group remains unconfirmed. However, their sophisticated tactics and global reach imply a highly organized and well-resourced operation. Some security researchers have posited potential links to Russia, citing similarities in encryption techniques and shared tactics with other Russian-linked ransomware groups such as Hive and Nokoyawa.

Tactics & Techniques

Play ransomware actors are known for their adaptive and evolving tactics, techniques, and procedures (TTPs), often leveraging a blend of custom tools, commercial off-the-shelf (COTS) software, and “living off the land” binaries (LOLBins) to execute their attacks.

Initial access is frequently gained through the exploitation of public-facing applications and services, particularly vulnerabilities in Fortinet FortiOS (CVE-2018-13379, CVE-2020-12812, CVE-2022-42475, CVE-2023-27997, CVE-2024-21762) and Microsoft Exchange Server (ProxyNotShell vulnerabilities, CVE-2022-41040, CVE-2022-41082). They also commonly abuse valid accounts, often purchased on dark web marketplaces, which grant them access via exposed Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) services. While less prevalent, credential harvesting through phishing campaigns has also been observed.

Upon gaining a foothold, Play actors conduct extensive reconnaissance to map the network environment. They use tools like AdFind, Microsoft Nltest, and Bloodhound for Active Directory queries and deploy their custom infostealer and network scanner, Grixba, to enumerate network configurations, identify security software, and gather system information. Privilege escalation is often achieved by searching for vulnerabilities using tools like WinPEAS.

Defense evasion is a critical component of Play’s operations. They systematically disable anti-malware and monitoring solutions using tools such as Process Hacker, GMER, IOBit, and PowerTool. They also employ PowerShell scripts to target and disable Microsoft Defender’s real-time protection. To cover their tracks, they clear Windows Event Logs using wevtutil or custom batch scripts. A distinguishing technique is their use of intermittent encryption, which encrypts only portions of files to evade traditional security software that might detect full-file encryption. The ransomware binary itself is often recompiled for each attack, resulting in unique hashes that complicate detection.

For lateral movement and execution, Play extensively utilizes legitimate tools such as Cobalt Strike and SystemBC for command-and-control (C2) and post-exploitation activities. They leverage PsExec and Windows Management Instrumentation (WMI) for remote execution and spreading across the network. They may also use other remote access and network scanning utilities like AnyDesk, NetScan, and Advanced IP Scanner. Data exfiltration is typically performed by compressing sensitive files with WinRAR and transferring them using WinSCP or a proprietary VSS copying tool.

Notable Campaigns

Since its emergence in June 2022, Play has been linked to hundreds of attacks globally. The group gained significant notoriety through a series of high-impact incidents. In 2022, they conducted a major attack on the Argentine judiciary of Córdoba.

A wave of attacks swept across Switzerland in 2023, where Play breached IT service providers for the federal administration, leading to the theft of highly sensitive data, including addresses of over 400,000 Swiss citizens, confidential federal records, financial, and tax information. These incidents affected various governmental entities, including cantonal police, the Swiss army, customs, and federal offices.

In the United States, Play has targeted several prominent local government entities. In 2023, the City of Oakland experienced a devastating attack that led to the publication of 600GB of government data, including police department records, driver’s license numbers, Social Security numbers, and information on elected officials. Dallas County was also hit, resulting in the theft of records belonging to over 200,000 individuals, encompassing SSNs, state identification numbers, taxpayer information, and medical details. Other notable victims include the City of Lowell, Massachusetts, Rackspace, Krispy Kreme, the Belgian city of Antwerp, Microchip Technology, and Globalcaja, a prominent Spanish bank targeted in May 2025 where sensitive client and employee documents were stolen.

The group has demonstrated a continuous effort to exploit newly disclosed vulnerabilities. In early 2025, Play actors were observed exploiting vulnerabilities in the SimpleHelp remote monitoring and management (RMM) tool (CVE-2024-57727) to gain remote code execution in numerous U.S.-based organizations. Furthermore, in April 2025, Play was identified exploiting a high-severity Windows Common Log File System flaw (CVE-2025-29824) as a zero-day in targeted attacks to elevate privileges to SYSTEM.

Associated Malware & Tools

The Play group primarily deploys its custom ransomware, “Playcrypt,” which appends a “.play” extension to encrypted files. This ransomware uses an AES-RSA hybrid encryption scheme and intermittent encryption to hinder detection. They have also developed a Linux variant specifically designed to target ESXi environments, capable of shutting down virtual machines and encrypting VM disks, configuration, and metadata.

Beyond their proprietary ransomware, Play leverages a broad arsenal of tools:

  • Custom Tools: Grixba (an infostealer and network scanner) and a custom VSS copying tool designed to extract files, even from shadow copies.
  • Commercial/Open-Source Tools:
    • Post-exploitation & C2: Cobalt Strike, SystemBC (Coroxy), Empire, and, more recently, Sliver beacons.
    • Credential Access: Mimikatz (for dumping credentials).
    • Discovery & Reconnaissance: AdFind, Microsoft Nltest, Bloodhound (for Active Directory queries), WinPEAS (for privilege escalation paths), and AlphaVSS (an open-source VSS management tool).
    • Lateral Movement & Execution: PsExec, WMI, AnyDesk, NetScan, Advanced IP Scanner.
    • Defense Evasion: GMER, IOBit, PowerTool, Process Hacker (for disabling security software), Wevtutil (for clearing logs), and PowerShell scripts.
    • Data Staging & Exfiltration: WinRAR (for compression) and WinSCP (for data transfer).

Current Status

The Play ransomware group remains highly active and continues to pose a critical threat. The FBI, CISA, and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have consistently issued joint advisories, with the latest updates confirming their ongoing operations.

As of May 2025, the FBI reported that Play has impacted approximately 900 organizations worldwide, a substantial increase from the approximately 300 entities reported in October 2023. The group was identified as one of the most active ransomware operations throughout 2024 and in the first half of 2025.

Play continues to refine its TTPs and augment its toolbox, frequently incorporating new exploits and tools, such as the recent use of Sliver beacons. Their aggressive negotiation tactics have also evolved to include direct phone calls to victims’ internal staff, such as help desk or customer service personnel, to escalate pressure for ransom payments. Organizations must remain vigilant and implement robust defensive measures, as Play’s activity shows no signs of abatement.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call