Live Latest activity →
PL

play

Known ransomware group ACTIVE

Also known as: PlayCrypt

Currently active

Play (PlayCrypt) is a ransomware group active since mid-2022, notable for intermittent-encryption techniques and for appending the ".play" extension to encrypted files. It has hit government, IT, and critical-infrastructure targets worldwide and runs a double-extortion leak site.

1

Total Claims

0

Critical

Records Claimed

1

Industries Hit

Active span: Jun 6, 2026 – Jun 6, 2026 · 1 organizations targeted

Currently active
Activity 1.9 Severity 2.5 Sectors 2.3 Tooling 9.4

Actor Threat Profile

Activity Timeline

Peak: Jun 2026 (1)
Jun 2026
LessMore
Jun 2026

Share this profile

Shareable intel card for play

Top Targeted Industries

Transportation/Logistics 1

Tradecraft & Infrastructure

16

Documented tools

10 / 31

MITRE tactics / techniques

3

Known leak sites

CredentialTheftDefenseEvasionDiscoveryEnumExfiltrationLOLBASNetworkingOffsec
Full intelligence profile on ransomware.live →

Targeted Organizations

Pearson Ford

Claims by play

Low

Ransomware Claim: Pearson Ford

Pearson Ford
play
Ransomware Transportation/Logistics
Jun 7, 2026

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.