AhnLab describes detection of a Play ransomware intrusion using EDR telemetry and notes that Play, also known as Balloonfly or PlayCrypt, has attacked more than 300 organizations since 2022. The report highlights double-extortion behavior through data theft before encryption and references Unit 42 reporting on collaboration between Play ransomware operators and Andariel. In the described case, Andariel used Sliver and DTrack to steal information, after which Play ransomware activity occurred through the same attack infrastructure.