Play ransomware

The Play ransomware began its activities in June 2022. Since then, many businesses and government institutions have fallen victim to the Play ransomware.

Among them is the Judiciary of Córdoba, Argentina. A large case that involved companies such as Microsoft, Cisco and Trend Micro for the investigation into the attack.

Because of the event, the IT system of the Córdoba Court had to close temporarily and employees resumed the use of pen and paper to send official documents.

In March, the Judiciary of Córdoba had already suffered an attack by the Lapsus$ ransomware, where employees’ emails leaked. The exact entry point of this recent attack is not known, but researchers surmise that the Play group may have used leaked emails to conduct phishing campaigns and steal access credentials.

Based on the Play group’s recent attacks, including the one on the Judicial Power of Cordoba, we can analyze some characteristics of the Play ransomware.

We know that the encryption used in the Play group attacks is very robust. In fact, the malware uses a hybrid RSA and AES type encryption, combining the strengths of both types of encryption.

In addition, the ransomware executable is highly obfuscated with various anti-analysis techniques, quickly making the Play ransomware invisible to virus protection programs.

With these techniques, the ransomware is able to perform all its encryption and lateral movement work to generate maximum damage on the victim’s system. All this without arousing any suspicion on the part of the user or the machine.

After encrypting the file, the ransomware adds the extension “.play” to the original file name. Once the file is renamed, it becomes inaccessible.

So far, there have been no leaks from the Play group of files allegedly stolen during attacks. Which leads researchers to conclude that perhaps there is no theft of the data before the encryption is done.

What reinforces this idea is the ransom note left by the attackers at the root of the disk (C:\). It is common that in ransomware attacks, the attacks leave a ransom note with instructions on how to contact the group, pay the ransom, and of course certain dire threats such as pressure to pay the ransom.

However, the group behind the Play ransomware has opted for a very different approach. Yes, a ReadMe.txt text file is generated in the environment, however its content is ridiculously short and boils down to two simple lines. Name, contact email and nothing else.

Recover files encrypted by Play ransomware

Digital Recovery has been in the data recovery market for over 23 years and is positioned today as one of the best alternatives in the ransomware attack landscape.

Established in 6 countries, we have been able to bring our support and technology to help hundreds of ransomware attack victims around the world.

We have been able to develop unique solutions that allow us to recover ransomware encrypted data on any storage device such as databases, servers, RAID systems, virtual machines, storages and others.

Our team is composed of efficient professionals who are passionate about new challenges.

We value confidentiality and act in the project with the necessary secrecy because we know how valuable a company’s data is. We comply with the General Data Protection Regulation (GDPR) and, of course, we provide our clients with a confidentiality agreement (NDA).

We operate in most cases completely remotely. So, wherever you are, Digital Recovery may have the solution for you.

Just contact our team and we will perform an advanced diagnosis for the recovery of your data.

We are
always online

Please fill out the form, or select your preferred contact method. We will contact you to start recovering your files.

Latest insights from our experts

Ransomware AtomSilo

AtomSilo Ransomware

The AtomSilo ransomware emerged in September 2021, the group acts a little differently than other ransomware groups, the ransom amount is fixed, $1 million is

Khonsari Ransomware

Khonsari Ransomware

The Khonsari ransomware was the first group to exploit known Apache Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), the group has focused its attacks on Windows servers that


Through unique technologies Digital Recovery can bring back encrypted data on any storage device, offering remote solutions anywhere in the world.