Ransomware Leak Sites


Active Since

June 2022

Total Victims as of January 2024


Known Forum Aliases


Active Forum Accounts


Top Targeted Geographies

US, UK, Canada

Play ransomware is named after the “.play” extension it appends to the files it encrypts.

It has been noted that tactics used by Play are shared by fellow ransomware campaigns Nokoyawa and Hive, suggesting a connection between the operations. There is also indication that Play ransomware shares some of the infrastructure to stage its attacks with Quantum RaaS.

Play keeps a fairly low profile on the dark web aside from its leak site, not advertising via forum accounts and recently had to fend off accusations it had introduced a RaaS model. The gang claims on its site to be a closed group to “guarantee the secrecy of deals”.

The Beacon Newsletter

Get news, insights & intelligence straight to your inbox