How We Decrypted Play Ransomware and Recovered 4 Physical Servers?
Play ransomware is a sophisticated threat that has been targeting various organizations. It first appeared in 2022 and mainly affects companies in the USA and Canada. Today, we’ll share a case study about how we successfully recovered data encrypted by Play ransomware.
Client Background
In October 2024, we were contacted via WhatsApp by a person named James, an IT professional at a U.S.-based company. Due to privacy concerns, we cannot disclose the company’s name. Four physical servers were infected by Play ransomware. These servers hosted over 20 virtual machines and contained around 10 TB of important data. All files were encrypted with the .play extension.
Decryption Process
The client sent us several encrypted PDF and JPEG files along with ransom notes. We tested these files on our server and provided a sample decryption for verification. After confirming the results, he asked about the recovery cost. We agreed on $5,400, paid in USDT (Tether).
Once the payment was confirmed, we asked for an email address to send the Play Ransomware Decryptor. We generated the decryptor on our server and sent it via email, along with a complete usage guide. James used the tool to decrypt each server one by one, successfully recovering all data. The entire process took about 3 to 4 hours.
Post-Recovery
After the decryption, we scanned the company’s network and found that the ransomware had entered through a vulnerability in their VPN. We helped fix this issue and then concluded the case.