Cybersecurity researchers found evidence that operators behind the Play ransomware are now offering the malware under the Ransomware-as-a-Service business model.

First spotted in 2022, Play (aka PlayCrypt and Ballonfly) group has been responsible for attacks on companies and government organizations worldwide, although the main target of the ransomware group is Latin America. The gang’s attack arsenal includes a number of tools and exploits such as the ProxyNotShell vulnerabilities, OWASSRF, and a Microsoft Exchange Server Remote Code Execution.

More recently, the group has been observed using new custom tools like Grixba, a network scanner and info-stealer, and the open-source VSS management tool AlphaVSS. Play was also one of the first ransomware groups to employ intermittent encryption, a technique that allows for faster encryption of victims’ systems.

Play shares some tactics and tools with Hive and Nokoyawa ransomware, suggesting of affiliation between these ransomware families.

“Making it available to affiliates that might include sophisticated hackers, less-sophisticated “script kiddies” and various levels of expertise in between, could dramatically increase the volume of attacks using the highly successful, Russia-linked Play ransomware,” Adlumin researchers wrote in a report.

The research team said they have identified several PlayCrypt attacks targeting small and mid-sized businesses over the recent months that shared nearly identical tactics, techniques and procedures (TTPs).

“The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it,” the researchers noted.

All observed incidents involved the same tactics, techniques, and procedures (TTP) and followed the same order of steps, including the use of the public music folder (C:\...\public\music) to hide the malicious file, the same password to create high-privilege accounts, and the same commands.