Play (PlayCrypt) Recovery
Direct answer
Play (also known as PlayCrypt) is a ransomware family active since June 2022, focused on Latin America and Europe. It appends .play to files and drops 'ReadMe.txt'. Accesses via FortiOS vulnerabilities (CVE-2022-41082, CVE-2022-41040, known as ProxyNotShell) and RDP. No public decryptor available. HD Doctor delivers technical response focused on Windows Server, Exchange and Fortinet.
Play preferentially targets Latin America (Brazil, Mexico, Argentina, Chile). Keep Fortinet and Exchange Server strictly patched.
What is Play
Play is a RaaS operation active since June 2022, with a Russia-linked affiliate base. It listed 600+ victims on its darknet site by 2026, including US government agencies (CISA AA23-352A), European municipalities and Latin American companies. Uses AES + RSA, subtle intermittency (payload self-renames per execution) and pre-encryption exfiltration via WinSCP/WinRAR. Distinctive: short note with only a proton.me email. Unusually, does NOT publish the ransom amount.
Symptoms of Play infection
- Files with extension .play on servers
- Short 'ReadMe.txt' note with proton.me email
- Payload renamed per execution (intermittent obfuscation)
- Exchange OWA logs with anomalous requests (ProxyNotShell)
- Fortinet with SSL VPN tunnel without MFA
- Cobalt Strike Beacon + SystemBC proxy
Typical Play attack vectors
| Cause | % | Recoverable? |
|---|---|---|
| FortiOS SSL-VPN (CVE-2022-42475, CVE-2023-27997) | 40% | Patch + MFA + restore |
| Microsoft Exchange (ProxyNotShell CVE-2022-41082) | 30% | Patch + restore |
| Exposed RDP | 18% | Hardening + restore |
| Targeted phishing | 7% | Training + restore |
| Other / unidentified | 5% | Case-by-case analysis |
Distribution based on CISA AA23-352A.
What NOT to do upon Play identification
- 1.Do not restore Exchange without patch. ProxyNotShell (CVE-2022-41082/41040) is the main entry. Restoring without patch reopens the door.
- 2.Do not negotiate via Protonmail anonymously. Before contact, build chain of custody and engage legal. All communication must be documented.
- 3.Do not pay without confirming exfiltration. Play ALWAYS exfiltrates. Paying 'just to decrypt' leaves data in attacker's hands anyway.
- 4.Do not ignore Fortinet logs. Fortinet logs hold detailed timeline of the attacker's SSL-VPN session. Preserve before any action.
- 5.Do not disconnect Exchange before snapshot. Exchange memory holds critical forensic artifacts (sessions, tokens, running scripts).
HD Doctor process for Play response
Response focused on Exchange Server, Fortinet and Windows Server.
- 1
Triage and containment (0 to 6h)
Isolation, Exchange and DC snapshots, RAM capture, preservation of Fortinet and Exchange OWA/IIS logs, immediate SSL-VPN shutdown.
- 2
Forensics (6 to 48h)
Analysis of Fortinet logs (SSL-VPN auth), Exchange (ProxyNotShell), identify Play binary (renamed payload), exfiltration via WinSCP/WinRAR.
- 3
Decryptor evaluation (24h)
No public decryptor for Play. Focus on backup restore and rebuild.
- 4
Windows restore (3 to 15 days)
Veeam/Commvault restore of Exchange, AD and file servers. Granular mailbox recovery via Veeam Explorer for Exchange.
- 5
Hardening and report (5 to 25 days)
Fortinet patches (CVE-2022-42475, CVE-2023-27997), Exchange (all recent CVEs), mandatory MFA, EDR, forensic and regulatory report.
Typical SLA for Play response
| Scenario | Turnaround |
|---|---|
| Triage and containment | 0 to 6h |
| Exchange + Fortinet forensics | 24 to 72h |
| Exchange and AD restore | 3 to 12 business days |
| Granular mailbox restore | 5 to 20 business days |
| Final technical report | 15 to 30 business days |
- Play has no public decryptor; immutable backup is the main control.
Systems hit by Play
| Family | Support | Notes |
|---|---|---|
| Microsoft Exchange 2013-2019 | ✅ Full response | ProxyNotShell, restore + patch |
| Fortinet FortiGate (FortiOS) | ✅ Forensics + hardening | Most common entry |
| Windows Server 2012R2-2022 | ✅ AD, file server, SQL | Veeam restore |
| Active Directory | ✅ Full recovery | Compromised DCs |
| Veeam / Commvault backup | ✅ Guided restore | Tampering forensics |
Why HD Doctor for Play response
- 🎮Team with real Play cases in Latin America, with validated playbook.
- ⚡24×7 response within 6h, direct Exchange + Fortinet engineer.
- 💾Granular Veeam Exchange restore to recover mailboxes individually.
- 🛡️Specific Fortinet + Exchange hardening post-incident.
- 📋Forensic report within 72h for regulator and judicial use.
FAQ about Play
Is there a free Play decryptor?
No. There is no public Play decryptor in 2026. Clean backup restore is the main recovery path.
Why does Play focus on Latin America?
Russian-language groups often target Latin America due to lower average cyber defense maturity and limited law enforcement cooperation. CISA AA23-352A documents cases in Brazil, Argentina, Chile, Mexico.
Should I pay the Play ransom?
Not recommended. Play ALWAYS exfiltrates before encrypting. Payment does not prevent leak and funds future attacks. Focus on restore + regulator + subject communication.
How to avoid Play?
Five controls: (1) Fortinet and Exchange strictly patched; (2) MFA on SSL-VPN; (3) Exchange OWA with WAF; (4) EDR on DCs and critical servers; (5) immutable offline backup. Our report includes a prioritized plan.
How long until full restore?
With Veeam immutable backup: 5 to 15 days for critical servers. Without clean backup: 30 to 60 days depending on scope. Individual mailbox recovery: 1 to 5 days per critical mailbox.
Under Play / PlayCrypt attack right now?
Exchange + Fortinet specialists. 24×7 response.