Intel Name: #stopransomware: play ransomware
Date of Scan: June 5, 2025
Impact: High
Summary: Since June 2022, the Play ransomware group—also known as Playcrypt—has targeted numerous businesses and critical infrastructure across North, South America, and Europe. By 2024, Play will have become one of the most active ransomware operations, with around 900 victims reported as of May 2025. Operating as a closed group to “guarantee the secrecy of deals,” Play actors use a double extortion tactic: exfiltrating data before encrypting systems. Victims receive ransom notes without specific demands, instead being directed to contact the attackers via email.
