Play (hacker group)

Play (also Play Ransomware or PlayCrypt) is a hacker group responsible for ransomware extortion attacks on companies and governmental institutions. The group emerged in 2022 and attacked targets in the United States, Brazil, Argentina, Germany, Belgium and Switzerland.

Security experts suspect that the group has links to Russia, since the encryption techniques used are similar to those used by other russian-linked ransomware groups such as Hive and Nokoyawa.

The name "play" comes from the ".play" file extension that the group uses to encrypt their victims' data, leaving a message containing the word "PLAY" and an email address.

History
In 2022, Play carried out a major attack on the Argentine judiciary of Córdoba.

In 2023, Play carried out a wave of attacks on Switzerland. At the end of March, the newspaper Neue Zürcher Zeitung was attacked, leading to the penetration of the systems of its service provider, CH-Media. This enabled Play to extract the addresses of over 400,000 Swiss citizens living abroad who had subscribed to the official newspaper for Swiss expatriates, . In the same month, a Valais community fell victim. In May/June there was a massive hacker attack on an IT service provider of the Federal administration of Switzerland and confidential data, including financial data and tax information, was stolen for extortion. Various state-owned companies were affected.