Play Ransomware Group Adds U.S.-Based Executive Aviation to its Victim List

Executive Summary

On March 15, 2026, the prolific Play ransomware group claimed to have successfully breached Executive Aviation, a U.S.-based company in the aviation industry. The group added the company to its data leak site, employing a classic double-extortion tactic by threatening to release stolen sensitive data if their ransom demands are not met. The incident underscores the persistent and growing threat that ransomware poses to critical infrastructure sectors, including aviation.

The Play group, active since at least June 2022, is known for its sophisticated attack methods and has been the subject of a CISA advisory. Their tactics often involve exploiting vulnerabilities in public-facing network devices and using custom tools to bypass security measures. This attack on Executive Aviation is a stark reminder for all organizations, particularly those in critical sectors, to prioritize cybersecurity hygiene and incident response preparedness.

Threat Overview

• Victim: Executive Aviation, a U.S. aviation company.
• Threat Actor: Play ransomware (also known as Playcrypt).
• Attack Type: Ransomware, Data Breach, Double Extortion.
• Timeline: Claim of attack posted on March 15, 2026.
• Motive: Financial gain.

Technical Analysis (Typical Play Ransomware TTPs)

While specifics of the Executive Aviation breach are not public, the general Tactics, Techniques, and Procedures (TTPs) of the Play ransomware group are well-documented by CISA and security researchers.

1. Initial Access: Play operators frequently gain initial access by exploiting unpatched vulnerabilities in public-facing services. They are known to target Fortinet SSL VPN vulnerabilities (T1190 - Exploit Public-Facing Application) and exposed Remote Desktop Protocol (RDP) servers (T1133 - External Remote Services).
2. Execution & Discovery: Once inside, they use standard Windows tools like net.exe and wevtutil.exe for discovery and defense evasion. They also use more advanced tools like AdFind to query Active Directory and map out the network.
3. Credential Access: The group uses Mimikatz to harvest credentials from compromised systems, enabling them to escalate privileges and move laterally across the network (T1003 - OS Credential Dumping).
4. Defense Evasion: Before deploying the ransomware, Play operators attempt to disable security software. They use tools like GMER or their own custom code to terminate processes and services associated with antivirus and EDR solutions (T1562.001 - Disable or Modify Tools). They also clear event logs to hide their tracks.
5. Impact (T1486 - Data Encrypted for Impact): The final stage involves deploying the Play ransomware payload, which encrypts files and appends a .play extension. A ransom note, typically named ReadMe.txt, is dropped in encrypted directories, instructing the victim on how to contact the attackers.

Impact Assessment

• Operational Disruption: An attack on an aviation company can disrupt flight scheduling, maintenance logs, passenger data systems, and other critical operations, potentially leading to grounded flights and safety risks.
• Data Breach: The exfiltration of data could include sensitive corporate information, employee PII, and potentially customer or flight manifest data, leading to regulatory fines and reputational damage.
• Financial Loss: The victim faces the cost of the ransom demand, business downtime, and extensive remediation and recovery efforts.
• Critical Infrastructure Risk: This attack highlights the vulnerability of the Transportation sector. A successful, widespread attack in this industry could have cascading effects on national and global logistics.

Cyber Observables for Detection

Defenders should hunt for common Play TTPs:

Detection & Response

1. Monitor Remote Access Services: Continuously monitor logs from VPNs, RDP gateways, and other remote access solutions for anomalous login attempts, brute-force attacks, or connections from suspicious IP addresses. This aligns with D3FEND Network Traffic Analysis.
2. Audit Tool Usage: Create detection rules for the execution of legitimate tools that are frequently abused by attackers, such as AdFind.exe, PsExec.exe, and wevtutil.exe. While these can have legitimate uses, their execution by non-admin users or in unusual contexts should trigger an alert.
3. File-Share Monitoring: Use canaries or honeyfiles on network shares. An alert on the encryption or modification of these decoy files can provide a very early warning that a ransomware process has started.

Mitigation

1. Patch Management (M1051 - Update Software): Prioritize patching of internet-facing systems, especially VPN appliances like Fortinet, which are known targets for Play ransomware.
2. Secure Remote Access (M1032 - Multi-factor Authentication): Enforce phishing-resistant MFA on all remote access accounts. Disable RDP access from the internet entirely, requiring users to connect via a secure VPN gateway first.
3. Immutable Backups: Maintain offline and immutable backups of critical data. Regularly test the restoration process to ensure you can recover in the event of a successful attack. This is the most critical defense for ransomware resilience.
4. Network Segmentation (M1030 - Network Segmentation): Segment the network to prevent ransomware from spreading from workstations to critical servers. Use firewalls to restrict communication between network segments to only what is strictly necessary.