Ransomware Sept 26, 2025

Play RaaS pivots to brokered access in LATAM healthcare

Play ransomware affiliates are experimenting with brokered access packages that target mid-sized healthcare providers across Latin America. Initial telemetry highlights a hybrid model that pairs credential shops with bespoke intrusion crews, accelerating dwell time and compressing negotiation windows.

Key developments

Dedicated brokers on XSS and Exploit released bundles with VPN, EMR, and insurer portal access sourced from compromised medical billing vendors.
Affiliates leverage Play's double-extortion kit but outsource initial footholds to Spanish-speaking crews familiar with regional infrastructure.
Two observed incidents shifted from initial intrusion to leak-site publication in under 72 hours, indicating faster negotiation cutoffs.

Analyst notes

Network telemetry and chatter point to a Play affiliate cell that lost traction in North America following major takedowns. Latin America's fragmented insurance clearinghouses create asymmetric visibility gaps, making brokered access appealing. Hospital groups relying on remote third-party billing firms are particularly exposed, and we expect higher-pressure leak tactics aimed at clinical data.

Need deeper visibility?

DarknetAnalysis maintains continuous coverage of ransomware ecosystems with finished reporting, credential exposure alerts, and tailored takedown support. Contact the team for access to enrichment datasets or live negotiation support.

Connect with us