Double-Extortion Play Ransomware

12332850279?profile=RESIZE_400xDouble-Extortion ransomware is a type of cyberattack in which the threat actors exfiltrate a victim’s sensitive data in addition to encrypting it, giving the attacker additional leverage to collect ransom payments.  A typical ransomware attack will only encrypt the target’s data.  The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the US.  "Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia," authorities said.  Also known as Balloonfly and PlayCrypt, Play emerged in 2022, exploiting security flaws in Microsoft Exchange servers (CVE-2022-41040 and CVE-2022-41082) and Fortinet appliances (CVE-2018-13379 and CVE-2020-12812) to breach enterprises and deploy file-encrypting malware.


Ransomware attacks are increasingly exploiting vulnerabilities rather than using phishing emails as initial infection vectors, jumping from nearly zero in the second half of 2022 to almost a third in the first half of 2023, per.  The cybersecurity firm Adlumin, in a report published in November 2023, revealed that Play is being offered to other threat actors "as a service," completing its transformation into a Ransomware-as-a-Service (RaaS) operation.

Ransomware attacks by the group are characterized by the use of public and tools like AdFind to run Active Directory queries, GMER, IOBit, and PowerTool to disable antivirus software, and Grixba to enumerate network information and for collecting information about backup software and remote administration tools installed on a machine.  The threat actors have also been observed to carry out lateral movement and data exfiltration and encryption steps, banking on Cobalt Strike, SystemBC, and Mimikatz for post-exploitation.

The Play ransomware group uses a double-extortion model, encrypting systems after exfiltrating data," the agencies said.  “Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email." According to statistics, Play is said to have claimed nearly 40 victims in November 2023 alone, but significantly trailing behind its peers LockBit and BlackCat (aka ALPHV and Noberus).

The alert comes days after US government agencies released an updated bulletin about the Karakurt group, which is known to eschew encryption-based attacks in favor of pure extortion after obtaining initial access to networks via purchasing stolen login credentials, intrusion brokers (aka initial access brokers), phishing, and known security flaws.  "Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom," the government said.

The developments also come amid speculations that the BlackCat ransomware may have been a target of a law enforcement operation after its dark web leak portals went offline for five days.  The e-crime group blamed the outage on a hardware failure.


Another ransomware group known as NoEscape is alleged to have pulled an exit scam, effectively "stealing the ransom payments and closing down the group's web panels and data leak sites," prompting other gangs like LockBit to recruit their former affiliates.

The ransomware landscape is constantly evolving and shifting, whether be it due to external pressure from law enforcement, is hardly surprising. This is further evidenced by the collaboration between the BianLian, White Rabbit, and Mario ransomware gangs in a joint extortion campaign targeting publicly traded financial services firms.  These cooperative ransom campaigns are rare, but are possibly becoming more common due to the involvement of initial access brokers (IABs) collaborating with multiple groups on the dark web.  Another factor that may be leading to greater collaboration are law enforcement interventions that create cybercriminal diaspora networks. Displaced participants of these threat actor networks may be more willing to collaborate with rivals.

This article is presented at no charge for educational and informational purposes only.


Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or   

Weekly Cyber Intelligence Briefings:




Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!