Play (hacker group)

Play (also Play Ransomware or PlayCrypt) is a hacker group responsible for ransomware extortion attacks on companies and governmental institutions. The group emerged in 2022 and attacked targets in the United States,^[1] Brazil,^[2] Argentina,^[2] Germany,^[3] Belgium^[3] and Switzerland.^[4]

Security experts suspect that the group has links to Russia, since the encryption techniques used are similar to those used by other russian-linked ransomware groups such as Hive and Nokoyawa.^[5]

The name "play" comes from the ".play" file extension that the group uses to encrypt their victims' data, leaving a message containing the word "PLAY" and an email address.^[2]

History

In 2022, Play carried out a major attack on the Argentine judiciary of Córdoba.^[6]

In 2023, Play carried out a wave of attacks on Switzerland. At the end of March, the newspaper Neue Zürcher Zeitung was attacked, leading to the penetration of the systems of its service provider, CH-Media.^[7] This enabled Play to extract the addresses of over 400,000 Swiss citizens living abroad who had subscribed to the official newspaper for Swiss expatriates, Schweizer Revue [de].^[8] In the same month, a Valais community fell victim.^[9] In May/June there was a massive hacker attack on an IT service provider of the Federal administration of Switzerland and confidential data, including financial data and tax information, was stolen for extortion. Various state-owned companies were affected.^[10]

References

1. Kovacs, Eduard (2023-01-05). "Play Ransomware Group Used New Exploitation Method in Rackspace Attack". securityweek. SecurityWeek. Retrieved 2023-06-17.
2. "Ransomware group behind Oakland attack strengthens capabilities with new tools, researchers say". cyberscoop.com. Cyberscoop. 2023-04-19. Retrieved 2023-06-17.
3. Gatlan, Sergiu (2023-01-04). "Rackspace confirms Play ransomware was behind recent cyberattack". bleepingcomputer.com. Bleeping Computer. Retrieved 2023-06-17.
4. "Hacker group publishes stolen Swiss media data". swissinfo.ch. Swissinfo. 2023-05-11. Retrieved 2023-06-17.
5. Poireault, Kevin (2023-06-11). "Swiss Government Targeted by Series of Cyber-Attacks". infosecurity-magazine.com. Infosecurity Magazine. Retrieved 2023-06-17.
6. Kovacs, Eduard (2022-09-01). "Ransomware Attacks Target Government Agencies in Latin America". securityweek.com. Securityweek. Retrieved 2023-06-17.
7. Altwegg, Jürg (2023-04-18). "Böses Spiel mit der NZZ". faz.net. Frankfurter Allgemeine Zeitung. Retrieved 2023-06-17.
8. Rigendinger, Balz (2023-06-27). "Leck von Bundesdaten: Bis zu 425'000 Auslandschweizer:innen betroffen". SWI Swissinfo.ch (in German). Retrieved 2023-06-28.
9. "Update: Ransomware-Bande Play gewährt Walliser Gemeinde mehr Zeit". netzwoche.ch. Netzwoche. 2023-05-11. Retrieved 2023-06-17.
10. "Das Ausmass des Hacks gegen einen Dienstleister der Bundesverwaltung ist gewaltiger als angenommen". nzz.ch. Neue Zürcher Zeitung. 2023-06-15. Retrieved 2023-06-17.