Threat Intelligence Tarot
Vol. II · 100
Criminal (suspected Eastern European)
risk 3/5
The Gambit
Play
PlayCrypt · Balloonfly
GovernmentHealthcareCritical infrastructureMunicipalitiesMedia
Active since June 2022 · Financial extortion
The Gambit opens not with a bishop sacrifice but with an exploited ProxyNotShell, advancing pawns through municipal networks until the entire civic infrastructure is in check. It targets governance itself.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1190
Exploit Public-Facing Application
Initial Access
T1078
Valid Accounts
Defense Evasion
T1486
Data Encrypted for Impact
Impact
T1490
Inhibit System Recovery
Impact
T1041
Exfiltration Over C2 Channel
Exfiltration
T1059.001
PowerShell
Execution
T1021.002
SMB/Windows Admin Shares
Lateral Movement
Notable Operations
  • City of Oakland ransomware attack (2023, state of emergency declared)
  • Dallas County breach affecting 300,000 residents
  • 300+ organizations attacked globally across sectors
  • Former Hive RaaS affiliates transitioning to Play
Defenses
  • Exchange Server patching prioritized within 24 hours of critical CVE disclosure
    CIS Control 7
  • SMB access restrictions and lateral movement detection via network monitoring
    NIST CSF: DE.CM
  • VSS and backup integrity protection to prevent ransomware recovery disruption
    CIS Control 11
  • Government and municipal tabletop exercises for ransomware scenarios
    NIST CSF: RC.RP
Reversed: Their Weakness
Its exploitation of known Exchange vulnerabilities is its most exploitable weakness. Fully patched Exchange environments combined with MFA on admin interfaces eliminate its most reliable initial access chains.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Neon PredatorNext →The Centipede
Related Adversaries
The Auction House
RansomHub
5 shared TTPs
The Centipede
Rhysida
4 shared TTPs
The Neon Predator
Akira
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.