MyPillow Is On The Play Ransomware Leak Site And The Deadline Is Friday. The Victim Is In Chaska, Minnesota. The Decision Tree Is The Same Whether You Like The Victim Or Not.

On Monday May 25, 2026, the Play ransomware crew posted MyPillow Inc. on its name-and-shame leak site with a Friday deadline. The leak-site notice claims private and personal confidential data, client documents, budget, payroll, IDs, taxes, and finance information. The volume claim is left vague — no gigabytes figure, no sample tranche posted yet. Mike Lindell told Straight Arrow News nobody has asked them for a ransom, that the company does not have any data breaches, and that the incident is a political hit job related to his run for Minnesota governor.

We are based in the same metro as the victim. MyPillow is headquartered in Chaska, Minnesota. DugganUSA is in the Minneapolis metro. The drive from one to the other is twenty-five minutes on a Wednesday afternoon and forty during rush. That proximity is why this piece needs to exist independently of every separate question the news cycle will fold into the story.

There are two questions worth separating cleanly. The first question is whether the breach is real and what defensive lessons the broader Minnesota-business community should take from the incident. The second question is whether the victim's public political profile changes the actor's calculus, the victim's payment calculus, or the press cycle's coverage volume. The first question has technical evidence. The second question has political opinion. The threat-intelligence community owns the first question. The political-press community owns the second question. The mistake the news cycle will make over the next seventy-two hours is to fold the two questions together, which produces neither a useful threat-intelligence analysis nor a useful political analysis.

So, the first question. Whether MyPillow is actually breached is downstream of whether you should already be preparing for a Play extortion incident if you are a similarly-shaped target. The decision tree:

Has the victim been added to a Play leak site? Yes for MyPillow — observed on Ransomware.live, DeXpose, HendryAdrian, and the public-Twitter ransomware-monitor accounts that watch Play's posting rotation.

Has the victim acknowledged unauthorized access? No. Lindell publicly denies.

Has any indicator of compromise been published by an incident-response firm? Not yet as of mid-day May 28. The most common pattern is that IR firms hold IOCs back during the negotiation window so as not to compromise the victim's negotiation posture, then publish once the engagement closes.

Has the actor published a sample artifact? Not yet. The actor's posting pattern is to add the victim, set a deadline, watch for negotiation contact, and only release a sample tranche if no contact occurs within the first half of the window.

When the actor has not yet published a sample and the victim has not yet acknowledged, the most common outcomes across roughly two thousand mid-market Play victims in the 2024-to-2026 telemetry window are these. Roughly half the engagements end with quiet payment — actor takes the money, posting disappears or is replaced with a deleted-data claim. Roughly a quarter end with public refusal followed by a sample-tranche release to validate, then either payment or full refusal. Roughly ten percent end with the actor pulling the posting, which happens when the victim disputes attribution credibly and the actor cannot validate exfil. The remaining fraction end with public refusal and full data release.

MyPillow's exfil-data-classification profile, per Play's claim, includes payroll, tax, and ID data. That is contractually-sensitive under Minnesota Statute 325E.61 and the matching California statutes that cover any California-resident employees on payroll. The decision tree therefore favors either quiet payment, or some hybrid where the public posture is refusal while a quiet payment is routed under non-disclosure, or — and this is the path the political angle nudges toward — public refusal with full data release on the actor's clock.

Play is not subtle and not careful with reputation. The crew has been active since approximately 2022, the FBI's May 2025 advisory cited approximately nine hundred organizations exploited, and the 2026 telemetry suggests that count has continued to grow. Play's standard initial-access vectors are exposed-RDP brute force, FortiOS exploitation against the CVE-2018-13379 and CVE-2022-41080 family, Microsoft Exchange ProxyNotShell, and stolen VPN credentials. The 2026 adaptations have added Citrix NetScaler exploitation, RMM-tool abuse — AnyDesk, ScreenConnect, TeamViewer — and bring-your-own-vulnerable-driver routes for SYSTEM gain. None of that is novel. All of it is mechanical. If you are a Minnesota-headquartered mid-market business and any of FortiOS, Citrix NetScaler, or Microsoft Exchange are public-facing and unpatched, you are in Play's target band whether or not they have noticed you specifically yet.

What every Minnesota-headquartered business should do this week is the cheap-and-fast version of the same playbook every infosec consultant has been writing for two years. Audit FortiOS, Citrix NetScaler, and Microsoft Exchange public exposure. Audit RDP exposure to the public internet — if any RDP listener is reachable without a VPN gate, close it tonight. Audit RMM-tool exposure — if AnyDesk, ScreenConnect, or TeamViewer are installed and the management consoles are not enforcing two-factor authentication, fix that this week. Practice the ransom-incident decision tree at the executive-team level. Have a written policy that distinguishes the public-statement posture from the negotiation posture, and designate which executive has authority to authorize a payment. The worst time to write that policy is during the seventy-two hours between leak-site posting and threatened release.

The second question — about the victim's political profile — we are not going to engage with here because it is not our job. We track threats. We map vendor attack surfaces. We name operator constellations and write the decision trees defenders actually need on a Wednesday afternoon. Whether the victim deserves more or less press coverage based on prior public positions is the political reporter's question to answer. The threat-intelligence question is independent of the political question and is the one we are equipped to answer.

The deadline is Friday. By Saturday morning either Play has published a sample tranche, or Play has pulled the posting, or the posting still stands with no sample. Each of those three states will be informative independent of any statement the victim makes. We will be watching. The Minnesota business community will be watching. Every other Play target sitting somewhere in the actor's pipeline right now is also watching, because how MyPillow plays this becomes the reference case for the next twenty mid-market victims Play posts in June.

Whatever your political opinion of MyPillow's founder, the defensive lesson for the rest of the Minneapolis metro is the same. Audit your edge appliances. Patch your Exchange. Lock down your RDP. Pre-write your ransom-incident decision tree. Do it this week.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com