← Back to Actors
Play
Play
[Play](https://attack.mitre.org/groups/G1040) is a ransomware group that has been active since at least 2022 deploying [Playcrypt](https://attack.mitre.org/software/S1162) ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. [Play](https://attack.mitre.org/groups/G1040) actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Rans...
28
Techniques
28
Covered
0
Gaps
100%
Coverage
Coverage28/28
COVERED (28)
T1003.001LSASS Memory111 det.T1016System Network Configuration Discovery40 det.T1018Remote System Discovery51 det.T1021.002SMB/Windows Admin Shares74 det.T1027.010Command Obfuscation38 det.T1030Data Transfer Size Limits7 det.T1048Exfiltration Over Alternative Protocol35 det.T1057Process Discovery21 det.T1059.001PowerShell372 det.T1059.003Windows Command Shell83 det.T1070.001Clear Windows Event Logs16 det.T1070.004File Deletion43 det.T1078Valid Accounts297 det.T1078.002Domain Accounts28 det.T1078.003Local Accounts23 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1105Ingress Tool Transfer184 det.T1133External Remote Services74 det.T1190Exploit Public-Facing Application227 det.T1518.001Security Software Discovery10 det.T1560.001Archive via Utility26 det.T1562.001Disable or Modify Tools316 det.T1587.001Malware10 det.T1588.002Tool13 det.T1657Financial Theft15 det.T1685Disable or Modify Tools279 det.T1685.005Clear Windows Event Logs12 det.