Cyber Resilience

Threat actor · all actors

PlayG1040 unknown

aka Play

Last updated: 2026-07-03

0attributed CVEs
35ATT&CK techniques
0.0IDF score (tooling uniqueness)
0exclusive CVEs
years active

About this actor

[Play](https://attack.mitre.org/groups/G1040) is a ransomware group that has been active since at least 2022 deploying [Playcrypt](https://attack.mitre.org/software/S1162) ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. [Play](https://attack.mitre.org/groups/G1040) actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)

Source: MITRE ATT&CK

Activity timeline

No activity events recorded.

Profile

CVERiskCVSSEPSSPublishedProducts
No attributed CVEs.

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-422 / 3563%
CM-620 / 3557%
AC-317 / 3549%
AC-617 / 3549%
CM-217 / 3549%
SI-316 / 3546%
AC-215 / 3543%
AC-514 / 3540%
CA-713 / 3537%
CM-712 / 3534%
IA-212 / 3534%
CM-511 / 3531%
SI-710 / 3529%
SC-79 / 3526%
AC-178 / 3523%

Co-occurring actors

None.

Similar actors

Similar TTPs