Play Overview

PlayCrypt emerged during 2022 in a mysterious way, when german victims started asking on
forums about a “new ransomware that encrypts everything and places a ransom note with
just two lines: the word PLAY and an email which nobody answers to”.

After much speculation and after reversing one of their samples looking for contact details,
DC5411 could establish an initial exchange with the group, obtaining links for their first
onion service (to be aired 72 hs later).

The group used ProxyShell/ProxyNotShell vulnerabilities to gain initial foothold, even when
the later was patched, they had a workaround to keep the vulnerability working.