The Play ransomware [1] [3] [4] [5] [7] [8], also known as Balloonfly and PlayCrypt [1] [3] [4] [5] [7] [8], has recently transitioned into a Ransomware-as-a-Service (RaaS) operation [1] [3] [4] [7] [8], offering its services to other threat actors [2] [6] [8]. This development raises concerns about the accessibility and prevalence of cyber threats.


Adlumin’s investigation into Play ransomware attacks has uncovered a consistent pattern [5]. This includes hiding malicious files, using identical passwords for high-privilege accounts [5], and executing the same commands [5]. It appears that affiliates who have purchased the ransomware-as-a-service are carrying out attacks using step-by-step instructions provided with it [2] [6]. Adlumin’s findings are based on multiple Play ransomware attacks across various sectors [1] [3], indicating a systematic approach [6].

Play initially emerged in June 2022 [7], exploiting vulnerabilities in Microsoft Exchange Server to infiltrate networks and deploy remote administration tools before launching the ransomware [7]. The creators of Play ransomware were responsible for both developing the malware and carrying out the attacks. However, recent developments suggest a shift towards offering Play as a full-fledged RaaS operation [5]. RaaS operators now provide comprehensive ransomware kits [5], including documentation [5], forums [5], technical support [5], and assistance in negotiating ransoms [5]. This transition completes Play’s evolution into a RaaS model, making it an attractive option for cybercriminals and potentially leading to a growing wave of incidents [1] [3].


The transition of Play ransomware into a RaaS operation has significant implications. It increases the accessibility of ransomware to a wider range of threat actors, potentially leading to a surge in cyber incidents [7]. This trend highlights the need for enhanced cybersecurity measures and proactive mitigation strategies. Organizations must remain vigilant and implement robust defenses to protect against evolving ransomware threats. Additionally, collaboration between law enforcement agencies, cybersecurity firms, and industry stakeholders is crucial to effectively combat the growing threat landscape.