Play (PlayCrypt) Ransomware: Indicators of Compromise, Victims & Defense

fingerprintDossier

Active since: June 2022
Origin / attribution: Russia-linked closed affiliate group
Known aliases: PlayCrypt, Balloonfly
Common initial access: FortiOS flaws (CVE-2018-13379, CVE-2020-12812), exposed RDP, valid credentials
TTPs & tradecraft: Intermittent encryption for speed, SystemBC for C2, AdFind/Empire for recon.
Notes: CISA AA23-352A; actively hits Latin America plus North American SMB.

publicTop countries hit

United States813

Canada89

United Kingdom38

Germany33

Sweden14

Netherlands14

Switzerland10

Australia8

factoryTop sectors targeted

Manufacturing192

Not Found183

Business Services151

Technology89

Construction57

Transportation/Logistics42

Agriculture and Food Production36

Energy28

historyRecent named victims

Crystal Point

Not Found · 06 Apr 2026

Morphosis

US · Technology · 06 Apr 2026

Barnes Solicitors LLP

GB · Business Services · 04 Apr 2026

Sokolin

US · Consumer Services · 04 Apr 2026

Brokk

SE · Manufacturing · 30 Mar 2026

Colorado Construction

Construction · 30 Mar 2026

Lucky Look

DE · Not Found · 30 Mar 2026

Weber Kracht & Chellew

US · Not Found · 30 Mar 2026

Specflue

GB · Manufacturing · 30 Mar 2026

Kivells

GB · Not Found · 30 Mar 2026

Dock Pros

Transportation/Logistics · 30 Mar 2026

Ampex Data Systems

US · Technology · 30 Mar 2026

Valley Plating Inc

US · Manufacturing · 30 Mar 2026

Witt UK Group

GB · Manufacturing · 30 Mar 2026

TPIS Industrial Services

US · Manufacturing · 26 Mar 2026

Sourced from open leak-site monitoring · Generated 20 Apr 2026

shield_lockPlay (PlayCrypt) defense checklist

check_circleEnforce phishing-resistant MFA on every VPN, remote desktop, email, and SaaS admin account.

check_circlePatch perimeter gear (VPN, firewall, file-transfer, hypervisor) within 72 hours of vendor advisories.

check_circleSegment ESXi management from domain accounts; disable vSphere SSH unless in use.

check_circleTier admin credentials — no shared local-admin, rotate break-glass accounts monthly.

check_circleDeploy EDR across servers & DCs; alert on Rclone, WinSCP, MegaCmd, and suspicious PowerShell.

check_circleImmutable, offline backups tested quarterly with measured RTO/RPO.

check_circleBlock outbound on unused ports; restrict egress to vetted CDNs and update servers.

check_circleHunt for dropped vulnerable drivers used to kill EDR (BYOVD patterns).

check_circleRun an annual tabletop modelled on Play (PlayCrypt)'s latest playbook.

check_circleHave an IR retainer identified before you need it.

Worried Play (PlayCrypt) will land on you?

We run focused VAPT, ransomware-readiness reviews, and purple-team exercises tuned to the playbook this crew actually uses.

Book a scope call