IOC ANALYSIS REPORT

Play Ransomware IOC Analysis & Threat Hunting Report

Comprehensive Threat Intelligence Analysis, IOC Validation, MITRE ATT&CK Mapping, Detection Engineering and Threat Hunting Assessment

Analyst
Rajkumar G
Source
CISA / FBI / ACSC
Date
June 2025
Threat Type
Ransomware
Severity
Critical
Confidence
High

Executive Summary

Play Ransomware is a financially motivated ransomware operation active since 2022. The threat group employs double-extortion tactics, exploiting vulnerabilities, abusing valid accounts, stealing sensitive information, and encrypting victim environments. This report analyzes publicly released Indicators of Compromise (IOCs), tactics, techniques, procedures (TTPs), and detection opportunities published by CISA, FBI, and ACSC.

Threat Overview

Threat Actor

Play

Alias

PlayCrypt

Victims

900+

Type

Ransomware

Impact

Critical

Model

Double Extortion

Campaign Timeline

June 2022

Play Ransomware operations first observed.

2023

Expansion into healthcare, government and enterprise environments.

2024

Play becomes one of the most active ransomware groups globally.

January 2025

New IOC collection identified by FBI investigations.

June 2025

CISA releases updated advisory with refreshed indicators and detection guidance.

Attack Chain Analysis

Initial Access

Discovery

Credential Access

Lateral Movement

Impact

Verified IOC Summary

High Confidence Indicators

IOC Hash Table

File SHA256 Purpose
SVCHost.dll 47B7B2DD88959CD7224A5542AE8D5BCE... Backdoor
Gt_net.exe 75B525B220169F07AECFB3B1991702FB... Grixba Tool
PSexesvc.exe 1409E010675BF4A40DB0A845B60DB3AA... Lateral Movement
HRsword.exe 0E408AED1ACF902A9F97ABF71CF0DD35... Disable Security Tools
Usysdiag.exe 90040340EE101CAC7831D7035230AC8A... Certificate Modification

Known Tools Used

Tool Purpose
AdFind Active Directory Discovery
BloodHound Privilege Path Mapping
Mimikatz Credential Dumping
PsExec Lateral Movement
Cobalt Strike C2 Operations
WinRAR Data Collection
WinSCP Data Exfiltration

MITRE ATT&CK Mapping

Tactic Technique ID
Initial Access Valid Accounts T1078
Initial Access Exploit Public Facing Application T1190
Credential Access OS Credential Dumping T1003
Discovery System Network Discovery T1016
Lateral Movement Lateral Tool Transfer T1570
Exfiltration Exfiltration Over Alternative Protocol T1048
Impact Data Encrypted For Impact T1486

Detection Opportunities

Threat Hunting Queries

SOC Analyst Assessment

Play Ransomware continues to represent a significant threat to enterprise environments due to its combination of vulnerability exploitation, credential abuse, privilege escalation, data theft, and ransomware deployment. The group's use of legitimate administration tools and custom malware complicates detection and increases dwell time. Organizations should prioritize vulnerability management, privileged account monitoring, endpoint detection, and proactive threat hunting activities.

References