Play Ransomware

Also known as: PlayCrypt, Balloonfly

Overview

Ransomware group exploiting FortiOS and Microsoft Exchange vulnerabilities. Known for rapid encryption and targeting managed service providers for downstream access.

MITRE ATT&CK Coverage

Recon

Res Dev

Init Access

Execution

Persistence

Priv Esc

Def Evasion

Cred Access

Discovery

Lat Move

Collection

Exfil

Impact

2 of 14 tactics observed

Raw TTPs

FortiOS ExploitationExchange ExploitationMSP TargetingIntermittent EncryptionLOLBins

Related Intelligence (1)

HIGHRansomwareExploited

Play Ransomware Targets Managed Service Providers for Downstream Access

Play ransomware compromises three MSPs to deploy ransomware across 120+ downstream client organizations simultaneously.

FortiOS

Mar 9, 2026CISA / MS-ISAC Advisory