Two PlayCrypt Intrusions Compared

*Published: 4/15/2026* > **BLUF:** Two separate PlayCrypt intrusions against different organizations, both following the same textbook playbook: SonicWall VPN or RDP initial access, WinRAR staging with identical flags (`-ep1 -scul -r0`), WinSCP exfiltration, and ransomware deployment to `C:\Users\Public\Music\`. The second intrusion went from initial access to ransomware detonation across 15+ hosts in under 6 hours. Comparing the two reveals Play's operational discipline - these aren't affiliate variations, they're the same playbook executed twice with minor environmental adaptation. ## Why Two Intrusions Matter Play (Fiddling Scorpius / Balloonfly / GOLD ENCORE) operates as a closed or semi-closed group - not a traditional RaaS with a rotating affiliate base. That means TTP consistency across intrusions is higher than with open programs like Akira or Qilin. When you see the same WinRAR flags, the same staging path, the same WinSCP exfil pattern across two unrelated targets, you're looking at organizational tradecraft, not individual preference. Play has accumulated 1,237 victims since June 2022. FBI/CISA joint advisory AA23-352A covers the operation. The group recompiles the ransomware binary per-target for unique hashes, uses intermittent encryption for speed, and drops the ransom note to `C:\Users\Public\Music\ReadMe.txt` - a path so consistent it's practically a signature. These two intrusions were observed in separate managed environments. All identifying details have been sanitized. --- ## At a Glance | | Intrusion 1 | Intrusion 2 | |---|---|---| | **Initial access** | RDP with compromised admin credentials | RDP with compromised admin credentials | | **Reconnaissance** | `whoami /user`, manual file browsing | Hyper-V management console, file browsing | | **Data staging** | WinRAR (`-ep1 -scul -r0`) - 12+ archive volumes | WinRAR (`-ep1 -scul -r0`) - 10+ department folders | | **Exfiltration** | WinSCP from `C:\PerfLogs\` | WinSCP to `[exfil_ip]` (port 16826, then 21) | | **Defense evasion** | Impacket → enable RDP on DC | Full Defender kill chain across 4+ hosts | | **Lateral movement** | Impacket WmiExec | PsExec with random service names | | **Impact** | Interrupted (no encryption) | Ransomware to `C:\Users\Public\Music\` - 15+ hosts | | **Tempo** | Multi-session, patient | Single session, ~6 hours start to finish | --- ## Intrusion 1 - RDP → WinRAR Staging → WinSCP Exfil (Interrupted) ### Initial Access **T1078 / T1133 - Valid Accounts + External Remote Services | Operator** Interactive RDP from an unmanaged IP using a compromised administrator account: ``` 4624 | Type 10 | [attacker_ip] | DOMAIN\[admin_account] ``` The source IP was unprotected - no EDR agent. SonicWall VPN likely provided the network path. > **Detection Opportunity:** RDP authentication from unmanaged IPs is the first signal. Correlate Type 10 logon events with your asset inventory - any source IP without an EDR agent warrants immediate investigation. ### Reconnaissance **T1033 - System Owner/User Discovery | Operator** First command after landing: ``` whoami /user ``` Minimal - the operator knew where they were going. ### Data Browsing - Manual Target Selection **T1005 - Data from Local System | Operator** The operator spent significant time manually browsing high-value documents through WordPad, Edge, and mspaint. This is target selection, not automated collection: ``` WORDPAD.EXE "E:\SHARED\Shared\[user]\FINANCIALS\[month] 2025 Income Statement Review.docx" WORDPAD.EXE "E:\SHARED\Shared\[user]\FINANCIALS\[month] 2025 Income Statement Review.docx" ``` Documents accessed included: - Income statements (multiple months, 2025) - Balance sheets (year-ending 12-31-24) - W-2 forms and tax reports (2024) - Debt contracts and loan agreements - Health insurance benefit confirmations - Direct deposit records - Employee badge photos (viewed in mspaint) - Work order PDFs This is double extortion reconnaissance - the operator was evaluating what data would create maximum leverage during negotiation. ### Tool Staging **T1588.002 - Obtain Capabilities: Tool | Operator** WinRAR downloaded to a non-standard path: ``` C:\PerfLogs\winrar-x64-611.exe ``` Before staging data, the operator ran a speed test and checked their geolocation: ``` http://www.speedtest.net https://mylocation.org/ ``` This is OPSEC awareness - checking bandwidth capacity before exfiltration and confirming their exit node location. ### Data Staging - WinRAR **T1560.001 - Archive Collected Data | Operator** The Play signature WinRAR command: ``` WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . "@C:\Users\[admin]\AppData\Local\Temp\2\Rar$LS14936.31207" ``` This produced 12 archive volumes: - `E:\Shared.part1.rar` through `E:\Shared.part8.rar` (~3GB each, ~24GB total) - `E:\APPS.part1.rar` through `E:\APPS.part4.rar` The operator also staged specific subdirectories: ``` WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . "E:\APPS\[folder_1]" "E:\APPS\[folder_2]" "E:\APPS\[folder_3]" ``` > **Detection Opportunity:** WinRAR with the `-ep1 -scul -r0` flag combination is a Play playbook signature. This set of flags (exclude base path, Unicode filenames, recursive, no compression) appears across both intrusions and in public Play reporting. Alert on this specific flag combination. ### Exfiltration - WinSCP **T1048 - Exfiltration Over Alternative Protocol | Operator** WinSCP was delivered pre-packaged as a RAR archive in `C:\PerfLogs\` and extracted on-host: ``` WinRAR.exe x -iext -ow -ver -imon1 -- "C:\PerfLogs\WinSCP.rar" C:\PerfLogs\ C:\PerfLogs\WinSCP.exe ``` The operator ran WinSCP multiple times across the intrusion - at least three separate executions, suggesting multi-session exfiltration. ### Lateral Movement - Impacket WmiExec **T1047 - Windows Management Instrumentation | Operator** The operator pivoted to Impacket WmiExec to enable RDP on a domain controller: ``` cmd.exe /Q /c powershell reg add 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f 1> \Windows\Temp\RnVkTG 2>&1 ``` ``` cmd.exe /Q /c powershell Enable-NetFirewallRule -DisplayGroup 'Remote Desktop' 1> \Windows\Temp\KxPwBs 2>&1 ``` The `1> \Windows\Temp\<random> 2>&1` output redirection is Impacket's telltale signature. > **Detection Opportunity:** Impacket WmiExec output redirection to `\Windows\Temp\` with random filenames. This pattern is consistent across Play, Akira, and most affiliates using Impacket. > > See rule: [[edr-win-lat-impacket-wmiexec]] ### Defender Intervention **The intrusion was interrupted.** The security team identified the activity and disabled the compromised admin account on the domain controller. The operator adapted - they switched to a different admin account and continued WinSCP exfiltration: ``` 4624 | type 10 | [attacker_ip] | DOMAIN\[backup_admin] C:\PerfLogs\WinSCP.exe ``` ### Cleanup **T1070.004 - Indicator Removal | Operator** After the account switch was detected, the operator uninstalled WinRAR: ``` C:\Program Files\WinRAR\uninstall.exe C:\Program Files\WinRAR\uninstall.exe /wait ``` The defender created an Application Control Policy for WinRAR to prevent reinstallation. > **Note:** No ransomware was deployed in this intrusion. The operator focused on data theft - consistent with Play's double extortion model where exfiltration precedes encryption, and sometimes encryption never occurs if the data alone provides sufficient leverage. --- ## Intrusion 2 - RDP → Full Kill Chain → Ransomware in ~6 Hours ### Initial Access **T1078 - Valid Accounts | Operator** Network-level authentication using the built-in Administrator account, followed by interactive RDP from an unmanaged host: ``` 4624 | Successful Login | Administrator | [hostname] | svchost.exe ``` ``` Type 10 | 4624 | DOMAIN\[admin_account] | [attacker_ip] ``` The attacker IP was unmanaged - no EDR agent. The operator used a named admin account for interactive sessions and the built-in `Administrator` for service-level operations. ### Hyper-V Reconnaissance **T1082 - System Information Discovery | Operator** First action after RDP - opened the Hyper-V management console: ``` mmc.exe "C:\Windows\System32\virtmgmt.msc" ``` The operator was mapping the virtualized infrastructure before proceeding. This is consistent with Play's known ESXi targeting capability. ### Tool Deployment **T1588.002 - Obtain Capabilities: Tool | Operator** WinRAR and WinSCP downloaded via Chrome to a file server: ``` File creation | C:\Users\[admin]\Downloads\WinRAR-701.exe | File Size: 3.3 MB File creation | C:\Users\[admin]\Downloads\WinSCP-6.3.6-Setup.exe | File Size: 11.6 MB ``` Both tools installed interactively - WinRAR via its installer, WinSCP via the setup wizard. ### Data Staging - WinRAR (Systematic) **T1560.001 - Archive Collected Data | Operator** The operator systematically archived every department folder on the file server. Same WinRAR flags as Intrusion 1: ``` WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . "C:\Data\Share\[Company] Accounts Payable" WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . "C:\Data\Share\[Company] Finance" WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . "C:\Data\Share\[Company] Documents" WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . "C:\Data\Share\[Company] Jobs" WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . "C:\Data\Share\[Company] SOPs" WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . "C:\Data\Share\[Company] Human Resources" WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . "C:\Data\Share\[Company] Scans" WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . "C:\Data\Share\[Company] Phones" ``` Service subdirectories were archived in a single compound command: ``` WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . "C:\Data\Share\[Company] Service\Daily Dashboard reports" "C:\Data\Share\[Company] Service\SOP's" "C:\Data\Share\[Company] Service\Service Forms" "C:\Data\Share\[Company] Service\[subfolder]" "C:\Data\Share\[Company] Service\Marketplace Photos" "C:\Data\Share\[Company] Service\Warranties" "C:\Data\Share\[Company] Service\Invoices" ``` Between archiving, the operator browsed files via mspaint and Chrome - reviewing photos, scans, and PDFs to assess data value. > **Detection Opportunity:** Same WinRAR `-ep1 -scul -r0` signature. Additionally, monitor for WinRAR creating multiple multi-gigabyte `.rar` or `.partN.rar` files in rapid succession on file servers - this volume of archiving from an admin account is almost always data staging for exfiltration. ### Exfiltration - WinSCP to Known C2 **T1048 - Exfiltration Over Alternative Protocol | Operator** WinSCP exfiltrated data to an attacker-controlled server: ``` Destination: [exfil_ip] | Bytes Sent: ~2.8 GB | Destination Port: [non-standard] ``` ~2.8 GB in the first transfer alone. A second WinSCP session later connected on a standard FTP port: ``` Destination: [exfil_ip] | Bytes Sent: ~1 KB | Destination Port: 21 ``` The small second transfer was likely a completion signal or directory listing - bulk exfil was already done. > **Detection Opportunity:** Monitor for WinSCP execution on file servers, especially with outbound connections to non-standard ports. The IP `[exfil_ip]` is a Vultr VPS - common infrastructure for Play exfiltration. ### Defense Evasion - Scorched Earth Across 4+ Hosts **T1562.001 / T1562.004 / T1112 - Disable Defenses + Disable Firewall + Modify Registry | Operator** The operator executed an identical defense evasion sequence on every host they touched. On each target: **Enable RDP:** ``` reg.exe add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f powershell Enable-NetFirewallRule -DisplayGroup "Remote Desktop" ``` **Kill the firewall:** ``` powershell Set-NetFirewallProfile -Profile Domain Public Private -Enabled False ``` **Disable Defender (4 registry keys):** ``` reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f reg.exe add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v LocalSettingOverrideDisableRealtimeMonitoring /t REG_DWORD /d 1 /f ``` **Remove Defender definitions:** ``` cmd.exe /c "c:\Program Files\Windows Defender\mpcmdrun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection True ``` **Add Play-specific exclusions:** ``` powershell Set-mppreference -ExclusionPath c:\Users\Public\Music powershell Set-mppreference -ExclusionExtension .exe powershell Set-mppreference -ExclusionProcess c:\Users\Public\Music\xxx.exe ``` The exclusion for `c:\Users\Public\Music\xxx.exe` is a placeholder - the actual ransomware binary name is generated at deployment time. The operator pre-stages the exclusion path before dropping the payload. **Delete shadow copies:** ``` WMIC.exe shadowcopy delete /nointeractive ``` This entire sequence was observed on the file server, Hyper-V host, SQL server, quoting server, and print server - at minimum 5 hosts. > **Detection Opportunity:** The `Set-MpPreference -ExclusionPath c:\Users\Public\Music` command is a near-perfect Play indicator - the exclusion path matches Play's known ransomware staging directory. Alert on Defender exclusions targeting `C:\Users\Public\Music\` specifically. > > See rule(s): [[edr-win-def-defender-tampering]] | [[edr-win-impact-inhibit-recovery]] ### Lateral Movement - PsExec Mass Deployment **T1021.002 / T1569.002 - SMB + System Services | Operator** The operator used PsExec to create random-named services across 15+ hosts - the classic PsExec remote execution pattern: ``` 7045 | R7KXNQ4VHJ2D | C:\Windows\R7KXNQ4VHJ2D.exe | DOMAIN\Administrator 7045 | M3YPWT8FG6AE | C:\Windows\M3YPWT8FG6AE.exe | DOMAIN\Administrator 7045 | J9BHZC5NLR1X | C:\Windows\J9BHZC5NLR1X.exe | DOMAIN\Administrator 7045 | T6DVQA2WKS8P | C:\Windows\T6DVQA2WKS8P.exe | DOMAIN\Administrator 7045 | U4FMLE7YXN3G | C:\Windows\U4FMLE7YXN3G.exe | DOMAIN\Administrator 7045 | H2RTJW9CZ5BK | C:\Windows\H2RTJW9CZ5BK.exe | DOMAIN\Administrator 7045 | E8GNPX1VA4QD | C:\Windows\E8GNPX1VA4QD.exe | DOMAIN\Administrator 7045 | K5SWUF3MH7YL | C:\Windows\K5SWUF3MH7YL.exe | DOMAIN\Administrator ``` Each service name is a random 12-character alphanumeric string - PsExec's default naming when deploying a remote binary. Services were created across domain controllers, file servers, SQL servers, Hyper-V hosts, workstations, and application servers. > **Detection Opportunity:** Event ID 7045 (new service installed) with random alphanumeric service names and binaries in `C:\Windows\` is PsExec's default pattern. High-fidelity detection - legitimate services don't use random 12-character names. > > See rule: [[edr-win-lat-remote-psexec]] ### Impact - Ransomware Deployment **T1486 - Data Encrypted for Impact | Malware** Ransomware payloads dropped to Play's signature staging path - `C:\Users\Public\Music\` - with random 6-character filenames: ``` c:\users\public\music\v7kn2x.exe c:\users\public\music\r4bj8q.exe c:\users\public\music\m1ht5w.exe c:\users\public\music\y9cpf3.exe c:\users\public\music\e6dga2.exe c:\users\public\music\t3xlk8.exe c:\users\public\music\j5wnr1.exe c:\users\public\music\Hq9Pv4.exe c:\users\public\music\b2fys7.exe c:\users\public\music\8kz6ua.exe c:\users\public\music\d4mvp9.exe c:\users\public\music\g7ntw2.exe c:\users\public\music\3rjc5x.exe c:\users\public\music\f1hbq6.exe c:\users\public\music\w8ems4.exe ``` Each binary is unique per host - Play recompiles per-target. The 6-character random names are generated at deployment time. Behavioral ransomware protection on managed endpoints detected encryption activity originating from multiple unmanaged IPs - at least four distinct source addresses were flagged. The EDR agent quarantined and deleted the ransomware binaries from `c:\users\public\music\` on protected hosts. Unmanaged hosts had no such protection. Automated detections for Defender definition rollback and shadow copy deletion fired across multiple hosts - but by the time these triggered, the operator was already deploying ransomware. The defense evasion phase completed before the detection pipeline could escalate. > **Detection Opportunity:** File creation events in `C:\Users\Public\Music\` with `.exe` extension. Any executable written to this path is a strong Play indicator. Monitor for Event ID 7045 service creation followed by file creation in this directory within minutes. --- ## Cross-Intrusion Analysis ### What's Structural (Playbook) These behaviors appeared in both intrusions, confirming them as core Play tradecraft: | Behavior | I1 | I2 | Playbook? | |---|:---:|:---:|---| | WinRAR `-ep1 -scul -r0 -iext -imon1` | Yes | Yes | **Yes - identical flags across both, matches public Play reporting** | | WinSCP for exfiltration | Yes | Yes | **Yes - Play's documented exfil tool of choice** | | RDP initial access with admin creds | Yes | Yes | **Yes - Play consistently uses valid accounts** | | Manual document browsing before staging | Yes | Yes | **Yes - target selection is human-driven, not automated** | | `C:\Users\Public\Music\` staging path | - | Yes | **Yes - Play's signature ransomware drop location** | | Defender registry tampering | - | Yes | **Yes - documented in CISA AA23-352A** | | Shadow copy deletion via WMIC | - | Yes | **Yes - standard pre-encryption step** | | Tool delivery from `C:\PerfLogs\` | Yes | - | Partial - observed in Play and other groups | ### What Differs (Environmental Adaptation) | Dimension | Intrusion 1 | Intrusion 2 | |---|---|---| | Lateral movement tool | Impacket WmiExec | PsExec (random service names) | | Defense evasion depth | Minimal (enable RDP only) | Full kill chain (Defender, firewall, VSS, exclusions) | | Impact | None (interrupted) | Ransomware on 15+ hosts | | Tempo | Multi-session, patient | Single session, ~6 hours | | Account switching | Yes (primary → backup admin after disable) | No (single admin account throughout) | | Exfil destination | Unknown | [exfil_ip] (Vultr VPS) | ### Operator Tradecraft Tells **Intrusion 1** - The more careful operator. Checked bandwidth (speedtest.net) and geolocation (mylocation.org) before exfiltration. Adapted to defender intervention by switching accounts. Uninstalled WinRAR as cleanup. No ransomware deployment suggests either the data alone was sufficient leverage or the interrupted access prevented escalation. **Intrusion 2** - The more aggressive operator. Full scorched earth: disabled Defender on every host, killed firewalls, deleted shadow copies, pre-staged Defender exclusions for the ransomware path. PsExec-based mass deployment across 15+ hosts in rapid succession. The ~6 hour tempo from initial access to ransomware detonation shows a rehearsed playbook with no hesitation. ### What Defenders Should Take Away 1. **WinRAR flags are a signature.** The `-ep1 -scul -r0` combination is consistent across both intrusions and public Play reporting. This is a durable TTP-level detection. 2. **`C:\Users\Public\Music\` is a known staging path.** Any executable written there warrants immediate investigation. 3. **Defender exclusion targeting `C:\Users\Public\Music\` is pre-staging.** The operator adds the exclusion *before* dropping the payload - if you catch the exclusion, you're ahead of the encryption. 4. **WinSCP on file servers is abnormal.** Legitimate WinSCP usage on production file servers is rare - alert on it. 5. **PsExec random service names are high-fidelity.** Event ID 7045 with random 12-character service names from a domain admin account is almost never legitimate. --- ## Detection Coverage Summary ### Detections | Rule | Intrusion | Phase | |---|---|---| | [[edr-win-lat-impacket-wmiexec]] | I1 | Lateral movement | | [[edr-win-lat-remote-psexec]] | I2 | Lateral movement (PsExec mass deploy) | | [[edr-win-def-defender-tampering]] | I2 | Defense evasion | | [[edr-win-impact-inhibit-recovery]] | I2 | Shadow copy deletion | ### Gaps | Gap | Intrusion | Why It Matters | |---|---|---| | WinRAR staging with `-ep1 -scul -r0` flags | I1, I2 | Play's most consistent behavioral signature has no STAR rule | | WinSCP command-line FTP/SFTP exfil | I1, I2 | Primary exfiltration tool, no automated detection | | File creation in `C:\Users\Public\Music\` | I2 | Play's ransomware drop path, detectable via file monitoring | | Defender exclusion for specific paths | I2 | Pre-staging indicator - catching this means you're ahead of encryption | | RDP from unmanaged IPs | I1, I2 | Initial access signal, requires asset inventory correlation | --- ## References - [CISA/FBI/ASD - #StopRansomware: Play Ransomware (AA23-352A)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a) (Dec 2023, updated Jun 2025) - [Unit 42 - Jumpy Pisces Engages in Play Ransomware](https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/) (Oct 2024) - [ESET - Shifting the Sands of RansomHub's EDRKillShifter](https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/) (Mar 2025) - [Symantec - Play Ransomware Custom Data-Gathering Tools](https://www.security.com/threat-intelligence/play-ransomware-volume-shadow-copy) (2023) - [Trend Micro - Pressing Pause on a Play Ransomware Attack](https://www.trendmicro.com/en_us/research/24/h/pressing-pause-on-play-ransomware.html) (Aug 2024) - [The DFIR Report - Blurring the Lines: Three Ransomware Gangs](https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/) (Sep 2025) - [Secureworks - GOLD ENCORE Threat Profile](https://www.secureworks.com/research/threat-profiles/gold-encore) (ongoing) - [Ransomware.live - Play Tracker](https://www.ransomware.live/group/play) (ongoing)