Play ransomware — also known as PlayCrypt — has been a steady presence in the ransomware landscape since June 2022, but its operations through 2024 showed a refined focus on supply chain exploitation through managed service providers. By November 2024, Play had accumulated over 300 known victims, with a significant percentage traced to MSP compromises that cascaded into multiple downstream organizations from a single intrusion.
The group demonstrated a pattern that is becoming the standard playbook for efficient ransomware operations: rather than targeting individual organizations one at a time, compromise the IT service provider that manages dozens or hundreds of them.
The MSP Attack Model
Play's MSP targeting followed a consistent methodology:
Phase 1: MSP Compromise
The initial intrusion typically targeted the MSP itself through:
FortiOS vulnerabilities: Play affiliates extensively exploited CVE-2018-13379 and CVE-2020-12812 in Fortinet's FortiOS VPN, along with newer vulnerabilities as they were disclosed. FortiGate appliances were common in MSP environments, making them a high-value target.
RDP exposure: MSPs that exposed Remote Desktop Protocol services to the internet — often for remote management convenience — provided a direct attack surface. Play operators used credential stuffing and brute force to gain access.
Microsoft Exchange vulnerabilities: ProxyNotShell (CVE-2022-41040 and CVE-2022-41082) and earlier ProxyShell vulnerabilities were exploited to compromise MSP Exchange servers, which often served as email infrastructure for multiple clients.
Phase 2: MSP Infrastructure Abuse
Once inside an MSP environment, Play operators focused on the management infrastructure:
- Remote monitoring and management (RMM) tools: ConnectWise, Datto, NinjaRMM, and similar platforms used by MSPs to manage client environments provided ready-made lateral movement paths
- PSA and ticketing systems: Professional services automation tools containing client network documentation, credentials, and architecture information
- Backup infrastructure: MSP-managed backup systems that connected to client environments
Phase 3: Client Network Compromise
Using the MSP's legitimate management tools, Play operators pivoted to client networks:
- RMM tools provided direct administrative access to client endpoints
- Cached credentials in MSP management platforms unlocked client domain admin accounts
- VPN connections from MSP infrastructure to client networks provided network-level access
- Backup infrastructure connections provided an alternative path when other routes were monitored
Phase 4: Coordinated Deployment
Play operators deployed ransomware across multiple client networks simultaneously, maximizing the number of victims from a single MSP compromise. The timing was typically coordinated for weekends or holidays to minimize detection and response during the encryption phase.
Technical Profile
The Payload
Play's ransomware was written in C++ with distinctive technical characteristics:
Intermittent encryption: Files were partially encrypted in chunks, significantly increasing encryption speed while still rendering files unusable. This was particularly important for MSP-cascade attacks where speed across multiple networks was critical.
File extension: Encrypted files received a .play extension, and ransom notes were dropped as ReadMe.txt files with minimal content — typically just an email address for negotiations.
Anti-analysis: The payload used string obfuscation and API hashing to complicate reverse engineering and signature-based detection.
Self-propagation: Limited built-in propagation capabilities using SMB and network share enumeration, supplemented by manual operator-driven deployment in most cases.
Custom Tooling
Play developed and used several custom tools:
Grixba: A custom network scanner used for Active Directory enumeration and network reconnaissance. Grixba was purpose-built for the post-exploitation phase, providing targeted information about the victim environment.
VSS removal tools: Custom utilities for deleting Volume Shadow Copies, ensuring that victims couldn't use Windows restore points for recovery.
Log clearing tools: Automated cleanup of Windows event logs and other forensic artifacts following ransomware deployment.
Supply Chain Impact Analysis
Play's MSP exploitation model created distinctive supply chain impact patterns:
Blast Radius
A single MSP compromise could affect 10-50+ downstream client organizations, depending on the MSP's size. This multiplier effect meant Play's actual impact was significantly larger than their victim count on leak sites suggested — many downstream victims were never publicly listed.
Cross-Sector Impact
Because MSPs serve diverse client bases, a single Play attack could simultaneously affect organizations across:
- Healthcare clinics and medical practices
- Law firms and accounting practices
- Manufacturing companies
- Retail businesses
- Local government agencies
- Nonprofit organizations
This cross-sector blast radius complicated incident response, as different victims had different regulatory requirements, data sensitivity levels, and recovery priorities.
Shared Infrastructure Risks
The MSP model creates shared infrastructure risks that downstream clients may not be aware of:
- Multiple client environments managed from the same RMM console
- Shared backup infrastructure where one client's backup compromise exposes all clients
- Common credential patterns across client environments managed by the same MSP team
- Shared network segments in the MSP's management infrastructure
Recovery Complexity
When ransomware cascades through an MSP, recovery is complicated by:
- The MSP's own systems being encrypted, removing the management infrastructure needed for recovery
- Multiple clients needing simultaneous recovery assistance from an MSP that is itself compromised
- Interdependencies between client environments and MSP-managed services
- Trust destruction — clients may lose confidence in the MSP, complicating coordinated recovery
The Broader MSP Threat
Play was not the only group targeting MSPs, but their operations illustrated the systemic risk:
- REvil demonstrated the MSP supply chain model with the Kaseya attack in 2021
- Conti explicitly targeted MSPs as documented in their leaked playbooks
- LockBit affiliates conducted multiple MSP-cascade attacks
- Akira and Black Basta also exploited MSP infrastructure
The pattern is clear: MSPs are the single most efficient attack multiplier in the ransomware ecosystem. A group that compromises one MSP per week can affect hundreds of downstream organizations monthly.
Defensive Measures for MSP Clients
Organizations that rely on managed service providers should:
Understand your MSP's security posture. Request and review SOC 2 reports, penetration test results, and incident response plans. Your MSP's security is your security.
Limit MSP access scope. Apply least-privilege principles to MSP management accounts. MSPs don't need domain admin access to manage endpoints — scope their permissions to what's actually required.
Monitor MSP connections. Treat MSP management connections as a controlled attack surface. Monitor RMM tool activity for anomalous patterns and maintain independent logging that the MSP cannot modify.
Maintain independent backups. Don't rely solely on MSP-managed backups. Maintain your own backup copies in a location the MSP cannot access.
Have an MSP compromise response plan. Plan specifically for the scenario where your MSP is compromised. Know how you'll isolate their access, who you'll call, and how you'll maintain operations without MSP-managed services.
How Safeguard.sh Helps
Play ransomware's MSP exploitation model illustrates a fundamental supply chain problem: organizations inherit the security risks of every service provider they depend on. When your MSP's RMM tool becomes the ransomware delivery mechanism, the software supply chain connecting your infrastructure to your service provider is the attack path.
Safeguard.sh maps these supply chain relationships, providing visibility into the software components and service connections that create cascading risk. The platform's SBOM management and dependency tracking identify the shared components and management tools that MSP-cascade attacks exploit.
By continuously monitoring your software supply chain for vulnerabilities and enforcing security policies across all components — including the remote management tools and infrastructure software that connect you to service providers — Safeguard.sh helps you quantify and manage the risk that comes with every vendor relationship. When your MSP is the weakest link, knowing that before the attackers do is the only advantage that matters.