Play

The June 2025 update to AA23-352A formally documented Play's ESXi variant, which powers off virtual machines and encrypts VM-related files (.vmdk, .vmem, .vmsn, .vmx, .nvram, etc.) with AES-256, and confirmed that the Windows binary is recompiled for every attack to defeat hash-based detection. Each victim now receives a unique @gmx.de or @web.de contact address.

FBI, CISA, and the Australian Cyber Security Centre published joint advisory AA23-352A on the Play (Playcrypt) ransomware group, documenting initial-access via FortiOS (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange ProxyNotShell (CVE-2022-41040, CVE-2022-41082) bugs and the group's intermittent-encryption / double-extortion tradecraft. The advisory was updated on 4 June 2025 to note approximately 900 victims as of May 2025 and Play's exploitation of SimpleHelp CVE-2024-57727.

The City of Oakland, California disclosed a ransomware attack on 10 February 2023 that took most non-emergency municipal systems offline and prompted a local state of emergency. The Play group listed Oakland on its extortion site on 1 March 2023 and subsequently leaked data including employee personal information; the city later settled litigation covering more than 13,000 affected current and former employees.

Networking-hardware vendor A10 Networks disclosed that a Play ransomware affiliate accessed its shared drives and exfiltrated human-resources, finance, and legal data during a brief intrusion on 23 January 2023. A10 said operational systems and customers were not affected; Play listed the company on its leak site shortly afterwards.

UK car retailer Arnold Clark was hit on 23 December 2022 by a double-extortion attack later claimed by the Play group, which asserted it had exfiltrated 467 GB of data. The stolen records included names, contact details, ID documents, and in some cases National Insurance numbers and bank account data; staff reverted to pen and paper while systems were rebuilt.

Rackspace's Hosted Exchange service went down on 2 December 2022, knocking email offline for approximately 30,000 SMB customers. A CrowdStrike-led investigation confirmed in early January 2023 that the Play ransomware group was responsible, using a previously unknown Exchange exploit chain dubbed 'OWASSRF' (CVE-2022-41080 + CVE-2022-41082). Rackspace later wound down the Hosted Exchange product.