Play Ransomware is a new type of malware seen starting in June 2022. The name “play” comes from the extension added to files once they have become encrypted by this ransomware family (i e., .play). This group usually initializes its activities with attack vectorization through vulnerabilities discovered in either FortiOS or other devices. Once inside a targeted environment, the group attempts to mask their activity and remain stealthy. For example, they rely heavily on the use of LOLBins. The group also uses commodity tools such as Anydesk, Netscan, and Advanced IP Scanner. The payloads are often spread through AD environments via GPO.
