The Play ransomware strain has transformed into a lucrative business model, being marketed to other threat actors “as a service,” according to new data that was discovered by Adlumin.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

“The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it,” the cybersecurity company stated in a report that was shared with The Hacker News.

The insights stem from numerous Play ransomware incidents carefully monitored by Adlumin across various industries. These attacks followed nearly identical strategies in the same sequence, unfolding with a striking similarity.

This involves concealing the malicious file within the public music folder (C:…publicmusic), employing an identical password for the creation of high-privilege accounts, executing both attacks and adhering to the same set of instructions.

Play Ransomware

Play, also known as Balloonfly and PlayCrypt, surfaced in June 2022, marking its initial discovery. It capitalized on security vulnerabilities in Microsoft Exchange Server, exploiting ProxyNotShell and OWASSRF to infiltrate networks. Subsequently, the attackers deployed remote administration tools like AnyDesk before executing the final step of introducing ransomware. It’s worth noting that Play is synonymous with PlayCrypt.

In addition to employing specialized data-gathering tools like Grixba for double extortion, a distinctive aspect that separated Play from other ransomware groups was the direct involvement of the operators in both designing the software and executing the assaults.

This recent development marks a pivotal shift, completing its evolution into a Ransomware-as-a-Service (RaaS) operation. This transformation renders it an appealing option for cybercriminals, given the potential financial rewards it offers.

“When RaaS operators advertise ransomware kits that come with everything a hacker will need, including documentation, forums, technical support, and ransom negotiation support, script kiddies will be tempted to try their luck and put their skills to use,” according to Adlumin.

“And since there are probably more script kiddies than “real hackers” today, businesses and authorities should take note and prepare for a growing wave of incidents.”

The evolution of Play ransomware into a profitable Ransomware-as-a-Service (RaaS) model signifies a significant development in the cyber threat landscape. As highlighted by Adlumin, the standardized nature of attacks, coupled with the direct involvement of operators in both software design and execution, distinguishes Play from its counterparts. The attractiveness of RaaS to a broader range of cybercriminals, from experienced hackers to script kiddies, poses a growing threat. With ransomware kits now readily available, complete with documentation, forums, technical support, and ransom negotiation assistance, businesses and authorities must remain vigilant and fortify their defences to navigate the rising tide of cyber incidents.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center