• Home
  • News
  • PLAY Ransomware Breaks Record With 16 Victims At Once

PLAY Ransomware Breaks Record With 16 Victims At Once

Miklos Zoltan

By Miklos Zoltan . 2 March 2024

Founder - Privacy Affairs

Alex Popa

Fact-Checked this

PLAY ransomware family announced a massive ransomware attack totaling 16 victims. The group posted an extensive sheet with details regarding the operation on their public platform. The massive ransomware operation took place on the 1st of this month.

  • The victims have 6 days at their disposal to complete the negotiations and pay the ransom
  • The attackers haven’t published any information regarding how much data they’ve stolen or the value of the ransom
  • It’s also unclear whether any of the victims have already contacted them for negotiations
  • PLAY currently ranks as a high-tier ransomware gang with hundreds of victims to their name

The FBI’s 2023 investigation that took place in October revealed that PLAY had 300 victims to their name up to that point. This is especially concerning, given that the victims were generally high-profile with considerable revenue values.

Despite its impressive activity since its inception, this is currently the most extensive cybercriminal operation ever conducted by the extortion ring. It’s not the first time that PLAY has attacked so many victims at once. But it is the first time they’ve infiltrated as many.

X showing the PLAY ransomware attack on the 16 victims
https://twitter.com/FalconFeedsio/status/1763874970239897856

At this moment, it appears as if neither of the victims has paid the ransom. All counters still work as normal, so either negotiations are underway or the attackers still waiting for contact.

However, one thing is certain, this recent ransomware event is proof that PLAY is upping the stakes and upgrading its systems. They also appear to exhibit considerably more manpower than we were used to.

Is PLAY a Global Actor?

PLAY first turned public in June of 2022, and it’s had a slow start. But to say it caught up fairly fast would be an understatement. The FBI approximated several hundreds of victims within the first year, and the trend appears to be climbing.

But what makes PLAY so dangerous and effective? There are several factors at play:

  • Their tactics – Unlike most ransomware actors, PLAY likes to assess its targets carefully before striking. This allows the hackers to identify potential system vulnerabilities and analyze the victim’s projected revenue beforehand.
  • The double-extortion MO – This is a rather typical approach, as it’s one that delivers the highest returns. The only problem would be that stealing the data and encrypting the victim’s files carries additional costs for the attacker. A problem that PLAY doesn’t have.
  • The code profile – Experts have identified code and tactic similarities between PLAY and the defunct Hive. It’s unclear whether this is a sign of affiliation, descendance, or simply stealing secrets from the best.

PLAY also appears to exhibit ruthless negotiation tactics and demands, sometimes absurd ransoms. They also often sell or share the stolen data with other ransomware actors, which then extort the victim themselves weeks or months down the line.

This is one of the main reasons why ransomware experts advise against negotiating with the attackers. It’s best to contact professionals to deal with the decryption process and take the financial or reputational hit that comes with refusing the negotiations.

Paying the cybercriminals only incentivizes them to stay in business.

Our Mission

We believe security online security matters and its our mission to make it a safer place.

Leave a Comment