Play, also known as PlayCrypt, is a double extortion ransomware family active since mid-2022 against corporations, municipal entities, and critical infrastructure in the Americas and Europe. The source describes initial access through exposed services, phishing, compromised websites, valid accounts, and vulnerabilities such as ProxyNotShell, followed by lateral movement with PowerShell, PsExec, Cobalt Strike, or SystemBC. Operators exfiltrate data before encrypting files with intermittent AES-RSA encryption, append the .play extension, and leave ReadMe.txt ransom notes. The report is useful for tracking Play intrusion patterns, especially exploitation of public-facing applications and reliance on living-off-the-land tools before encryption.