Date: 06/05/2025
Severity: Critical
Summary
Since June 2022, the Play ransomware group—also known as Playcrypt—has targeted numerous businesses and critical infrastructure across North, South America, and Europe. By 2024, Play will have become one of the most active ransomware operations, with around 900 victims reported as of May 2025. Operating as a closed group to “guarantee the secrecy of deals,” Play actors use a double extortion tactic: exfiltrating data before encrypting systems. Victims receive ransom notes without specific demands, instead being directed to contact the attackers via email.
Indicators of Compromise (IOC) List
Hash : |
453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb
47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57
75404543de25513b376f097ceb383e8efb9c9b95da8945fd4aa37c7b2f226212
7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986
7a6df63d883bbccb315986c2cfb76570335abf84fafbefce047d126b32234af8
7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca
c59f3c8d61d940b56436c14bc148c1fe98862921b8f7bad97fbc96b31d71193c
e652051fe47d784f6f85dc00adca1c15a8c7a40f1e5772e6a95281d8bf3d5c74
e8d5ad0bf292c42a9185bb1251c7e763d16614c180071b01da742972999b95da
47B7B2DD88959CD7224A5542AE8D5BCE928BFC986BF0D0321532A7515C244A1E
75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54A
453257C3494ADDAFB39CB6815862403E827947A1E7737EB8168CD10522465DEB
C59F3C8D61D940B56436C14BC148C1FE98862921B8F7BAD97FBC96B31D71193C
1409E010675BF4A40DB0A845B60DB3AAE5B302834E80ADEEC884AEBC55ECCBF7
0E408AED1ACF902A9F97ABF71CF0DD354024109C5D52A79054C421BE35D93549
90040340EE101CAC7831D7035230AC8AD4224D432E5636F34F13AA1C4A0C2041
3D86555ACAA19AEDDB5896071D1E3711B062EDBE
6DE8DD5757F9A3AC5E2AC28E8A77682D7A29BE25C106F785A061DCF582A20DC6
75404543DE25513B376F097CEB383E8EFB9C9B95DA8945FD4AA37C7B2F226212
7A42F96599DF8090CF89D6E3CE4316D24C6C00E499C8557A2E09D61C00C11986
7DEA671BE77A2CA5772B86CF8831B02BFF0567BCE6A3AE023825AA40354F8ACA
967DAFF362E63FF45526F585B7944488ACE1BB5BB5B30FA40D56557F1C538D09
859165041D75FBA3759C5533E324225F355C8A07B4645B984192AD6BEF06DB1A
511F63455CA4F83B0347B65DDA17585AD02591A9F23D8E234E5CE1321AA3381A
372F7B45A141BB0709D578BC716CBCA03104258822C4290CCBEB600223850158 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Hash 1 : |
sha256hash IN ("47c7cee3d76106279c4c28ad1de3c833c1ba0a2ec56b0150586c7e8480ccae57","C59F3C8D61D940B56436C14BC148C1FE98862921B8F7BAD97FBC96B31D71193C","7DEA671BE77A2CA5772B86CF8831B02BFF0567BCE6A3AE023825AA40354F8ACA","7A42F96599DF8090CF89D6E3CE4316D24C6C00E499C8557A2E09D61C00C11986","453257c3494addafb39cb6815862403e827947a1e7737eb8168cd10522465deb","90040340EE101CAC7831D7035230AC8AD4224D432E5636F34F13AA1C4A0C2041","1409E010675BF4A40DB0A845B60DB3AAE5B302834E80ADEEC884AEBC55ECCBF7","75404543de25513b376f097ceb383e8efb9c9b95da8945fd4aa37c7b2f226212","0E408AED1ACF902A9F97ABF71CF0DD354024109C5D52A79054C421BE35D93549","c59f3c8d61d940b56436c14bc148c1fe98862921b8f7bad97fbc96b31d71193c","75404543DE25513B376F097CEB383E8EFB9C9B95DA8945FD4AA37C7B2F226212","47B7B2DD88959CD7224A5542AE8D5BCE928BFC986BF0D0321532A7515C244A1E","7a42f96599df8090cf89d6e3ce4316d24c6c00e499c8557a2e09d61c00c11986","7a6df63d883bbccb315986c2cfb76570335abf84fafbefce047d126b32234af8","e652051fe47d784f6f85dc00adca1c15a8c7a40f1e5772e6a95281d8bf3d5c74","e8d5ad0bf292c42a9185bb1251c7e763d16614c180071b01da742972999b95da","75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54A","6DE8DD5757F9A3AC5E2AC28E8A77682D7A29BE25C106F785A061DCF582A20DC6","967DAFF362E63FF45526F585B7944488ACE1BB5BB5B30FA40D56557F1C538D09","859165041D75FBA3759C5533E324225F355C8A07B4645B984192AD6BEF06DB1A","511F63455CA4F83B0347B65DDA17585AD02591A9F23D8E234E5CE1321AA3381A","372F7B45A141BB0709D578BC716CBCA03104258822C4290CCBEB600223850158") |
Hash 2 : |
sha1hash IN ("3D86555ACAA19AEDDB5896071D1E3711B062EDBE") |
Reference:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a