Threat Actor Profile — PLAY
Aliases: Play, Cryptxxx (distinct lineage) Model: Ransomware-as-a-Service (RaaS) with a highly organized affiliate network. Ransom Demands: Historically ranges from $400,000 to several million USD, largely dependent on victim revenue and stolen data volume. Initial Access Vectors: PLAY affiliates aggressively exploit exposed network perimeter vulnerabilities. While phishing remains a baseline vector, the current 2026 trend shows a heavy reliance on exploiting VPNs (Check Point, Fortinet) and remote management tools (ConnectWise ScreenConnect, Cisco Secure Firewall). They leverage valid credentials obtained via info-stealers or purchased on initial access broker markets. Double Extortion: Strict adherence to the double-extortion model; data is exfiltrated prior to encryption, with pressure applied via their dedicated dark web leak site. Dwell Time: PLAY is known for rapid deployment. Average dwell time has decreased significantly in 2026, often moving from initial access to full encryption in under 48 hours if lateral movement is unimpeded.
Current Campaign Analysis
Campaign Date: 2026-07-16 Activity Spike: PLAY published 5 new victims in a single day, indicating a high-volume affiliate operation or a coordinated "data dump" event.
Sector Targeting
PLAY continues to demonstrate a lack of sector bias, focusing strictly on opportunity and revenue:
- Telecommunications: Boston Electric and Telephone (US) — Critical Infrastructure impact suggests a potential disruption to regional communications.
- Healthcare: Andorra Life (AD) — High-value target due to sensitive PII and PHI, often leading to quicker ransom payments.
- Manufacturing: AG Scholtes (NL) — Industrial targets often yield high ransoms due to production downtime costs.
- Business Services: Svensk Direktreklam (SE) — Access to vast client databases for secondary extortion.
Geographic Concentration
The campaign is geographically dispersed across Western allies:
- Americas: United States
- Europe: United Kingdom, Netherlands, Sweden, Andorra
Initial Access Vector Correlation
Based on the CISA KEV list associated with recent PLAY activity, the primary ingress vectors for this campaign are almost certainly:
- CVE-2026-50751 (Check Point Security Gateway): Exploitation of IKEv1 key exchange allows unauthenticated authentication. Critical for the US Telecom victim.
- CVE-2024-1708 (ConnectWise ScreenConnect): Path traversal leading to RCE. A staple for PLAY in 2026 for rapid access to Business Services and Healthcare MSPs.
- CVE-2026-20131 (Cisco Secure Firewall FMC): Deserialization vulnerability allowing remote code execution on management appliances.
Detection Engineering
Sigma Rules
---
title: Potential PLAY Ransomware Activity - Suspicious PowerShell Encoded Command
id: 0c6d7e11-9b1a-4d2a-b8a3-8f5e1b5c3d9e
status: experimental
description: Detects PowerShell usage with encoded commands, a technique heavily utilized by PLAY affiliates for obfuscation and payload delivery.
references:
- https://securityarsenal.com/darkside
author: Security Arsenal Research
date: 2026/07/16
modified: 2026/07/16
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\\powershell.exe'
CommandLine|contains: '-EncodedCommand'
filter_legit:
ParentImage|contains:
- '\\System32\\'
- '\\Windows\\'
condition: selection and not filter_legit
falsepositives:
- Administrative scripts
level: high
tags:
- attack.execution
- attack.t1059.001
---
title: PLAY Initial Access - ConnectWise ScreenConnect Exploitation CVE-2024-1708
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects web shell-like activity or suspicious URI paths associated with CVE-2024-1708 exploitation in ScreenConnect logs.
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/07/16
logsource:
product: web
service: iis or apache
detection:
selection_uri:
cs-uri-query|contains:
- 'SetupWizard'
- 'Services'
- 'Host'
selection_suspicious:
cs-uri-query|contains:
- '..'
- '%2e%2e'
condition: selection_uri and selection_suspicious
falsepositives:
- Legitimate administrative access
level: critical
tags:
- attack.initial_access
- attack.t1190
---
title: PLAY Ransomware Data Staging via Rclone
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the use of rclone, a tool frequently used by PLAY ransomware for data exfiltration to cloud storage providers prior to encryption.
references:
- https://securityarsenal.com/darkside
author: Security Arsenal Research
date: 2026/07/16
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\\rclone.exe'
condition: selection
falsepositives:
- Legitimate backup operations using rclone
level: high
tags:
- attack.exfiltration
- attack.t1567
KQL (Microsoft Sentinel)
Hunt query to identify potential lateral movement and data staging associated with PLAY's aggressive speed. This looks for the rapid creation of scheduled tasks (a common PLAY persistence mechanism) followed by high-volume file operations.
let TimeFrame = 1h;
let SuspiciousProcesses = dynamic(["powershell.exe", "cmd.exe", "rclone.exe", "vssadmin.exe"]);
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ (SuspiciousProcesses)
| where ProcessCommandLine has_any("-EncodedCommand", "copy", "move", "delete shadows", "create shadow")
| summarize count(), make_set(ProcessCommandLine) by DeviceId, AccountName, FileName
| where count_ > 5
PowerShell Rapid Response
This script checks for the creation of new scheduled tasks in the last 24 hours—a key persistence indicator for PLAY—and verifies the integrity of Volume Shadow Copies (often deleted by PLAY to prevent recovery).
# PLAY Ransomware Response Check
# Checks for recent Scheduled Tasks and Shadow Copy status
Write-Host "[!] Checking for Scheduled Tasks created in the last 24 hours..." -ForegroundColor Yellow
$DateCutoff = (Get-Date).AddDays(-1)
$Tasks = Get-ScheduledTask | Where-Object { $_.Date -gt $DateCutoff }
if ($Tasks) {
Write-Host "[THREAT DETECTED] Found $($Tasks.Count) tasks created recently:" -ForegroundColor Red
$Tasks | Select-Object TaskName, Author, Date | Format-Table -AutoSize
} else {
Write-Host "[OK] No suspicious recent scheduled tasks found." -ForegroundColor Green
}
Write-Host "\n[!] Checking Volume Shadow Copy Storage..." -ForegroundColor Yellow
try {
$ShadowCopies = Get-WmiObject -Class Win32_ShadowCopy | Sort-Object InstallDate -Descending
if ($ShadowCopies) {
Write-Host "[INFO] Current Shadow Copies available:" -ForegroundColor Cyan
$ShadowCopies | Select-Object ID, @{Name="Size(GB)";Expression={[math]::Round($_.UsedSpace/1GB, 2)}}, InstallDate | Format-Table -AutoSize
} else {
Write-Host "[ALERT] NO Volume Shadow Copies found. Potential sign of PLAY activity." -ForegroundColor Red
}
} catch {
Write-Host "[ERROR] Could not query Shadow Copies." -ForegroundColor Red
}
Incident Response Priorities
T-Minus Detection Checklist (Pre-Encryption):
- Audit Edge Devices: Immediately check logs for signs of exploitation against CVE-2026-50751 (Check Point) and CVE-2026-20131 (Cisco FMC).
- RMM Session Review: Analyze ConnectWise ScreenConnect logs for unauthorized sessions or file transfers originating from unusual IPs.
- PowerShell Audit: Hunt for
powershell.exeprocesses spawning fromsvchost.exeorservices.exewith encoded arguments.
Critical Assets at Risk: Based on the current victim profile, PLAY prioritizes:
- Telecom Switching/Routing Configs: High leverage for disruption.
- Patient Databases (PHI): For the Healthcare sector; high extortion value.
- Financial Systems: Accounts payable/receivable data.
Containment Actions (Ordered by Urgency):
- Isolate VPN Concentrators: If Check Point devices are suspected, disconnect them from the management plane but keep local console access for forensic triage.
- Disable RMM Tools: Temporarily halt ConnectWise ScreenConnect services across the environment until patches are verified.
- Revoke Admin Privileges: Force-reset credentials for accounts that have logged into the Cisco FMC or Check Point management consoles in the last 30 days.
Hardening Recommendations
Immediate (24 Hours):
- Patch CVE-2024-1708: Apply the ScreenConnect patch immediately or implement the recommended mitigations if patching is delayed.
- Disable IKEv1: On Check Point Security Gateways, disable IKEv1 to mitigate CVE-2026-50751 if the patch cannot be deployed instantly.
- MFA Enforcement: Ensure that all access to remote management tools (Cisco FMC, ScreenConnect) requires phishing-resistant MFA (FIDO2).
Short-Term (2 Weeks):
- Network Segmentation: Isolate management interfaces (OOB) from the general corporate network to prevent lateral movement from a compromised workstation to the firewall/VPN infrastructure.
- Egress Filtering: Block outbound traffic to known cloud storage endpoints (non-corporate) from servers and workstations to hinder
rcloneexfiltration.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.