← All Threat Actors
Threat Actor Profile

Play

Balloonfly G1040 Playcrypt Recess Spider
▲ High Threat
[Play](https://attack.mitre.org/groups/G1040) is a ransomware group that has been active since at least 2022 deploying [Playcrypt](https://attack.mitre.org/software/S1162) ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. [Play](https://attack.mitre.org/groups/G1040) actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Origin

Known TTPs

Data Transfer Size Limits
System Network Configuration Discovery
Exfiltration Over Alternative Protocol
File Deletion
Windows Command Shell
PowerShell
Archive via Utility
Remote System Discovery
Process Discovery
Command Obfuscation
Malware
Local Accounts
SMB/Windows Admin Shares
Clear Windows Event Logs
Valid Accounts
Ingress Tool Transfer
Domain Accounts
System Information Discovery
File and Directory Discovery
Security Software Discovery
External Remote Services
Tool
Exploit Public-Facing Application
LSASS Memory
Financial Theft
Disable or Modify Tools

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD