In an replace to a joint advisory with CISA and the Australian Cyber Safety Centre, the FBI stated that the Play ransomware gang had breached roughly 900 organizations as of Might 2025, thrice the variety of victims reported in October 2023.
“Since June 2022, the Play (often known as Playcrypt) ransomware group has impacted a variety of companies and significant infrastructure in North America, South America, and Europe. Play ransomware was among the many most energetic ransomware teams in 2024,” the FBI warned.
“As of Might 2025, FBI was conscious of roughly 900 affected entities allegedly exploited by the ransomware actors.”
At the moment’s replace additionally notes that the gang makes use of recompiled malware in each assault, making it harder for safety options to detect and block it. Moreover, some victims have been contacted by way of cellphone calls and threatened to pay the ransom to forestall their stolen knowledge from being leaked on-line.
For the reason that begin of the yr, preliminary entry brokers with ties to Play ransomware operators have additionally exploited a number of vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) within the distant monitoring and administration device in distant code execution assaults focusing on U.S. organizations.
In a single such incident, unknown menace actors focused susceptible SimpleHelp RMM shoppers to create admin accounts, backdoored the compromised methods with Sliver beacons, doubtlessly making ready them for future ransomware assaults.
The Play ransomware-as-a-service (RaaS) operation
The Play ransomware gang surfaced virtually three years in the past, with the primary victims reaching out for assist in BleepingComputer’s boards in June 2022. Earlier than deploying ransomware on the victims’ networks, Play associates steal delicate paperwork from compromised methods and use them to strain victims into paying ransom calls for underneath the specter of publishing the stolen knowledge on the gang’s darkish net leak website.
Nevertheless, in contrast to different ransomware operations, Play ransomware makes use of electronic mail as a negotiation channel and won’t present victims with a Tor negotiations web page hyperlink.
The ransomware gang additionally makes use of a customized VSS Copying Software that helps steal recordsdata from shadow quantity copies, even when utilized by different purposes.
Earlier high-profile Play ransomware victims embrace cloud computing firm Rackspace, the Metropolis of Oakland in California, Dallas County, automotive retailer large Arnold Clark, the Belgian metropolis of Antwerp, and, extra not too long ago, doughnut chain Krispy Kreme and American semiconductor provider Microchip Know-how.
In steerage issued by the FBI, CISA, and the Australian Cyber Safety Centre, safety groups are urged to prioritize preserving their methods, software program, and firmware updated to cut back the probability that unpatched vulnerabilities are exploited in Play ransomware assaults.
Defenders are additionally suggested to implement multifactor authentication (MFA) throughout all companies, specializing in VPN, webmail, and accounts with entry to essential methods of their organizations’ networks.
Moreover, they need to keep offline knowledge backups and develop and take a look at a restoration routine as a part of their group’s normal safety practices.
Handbook patching is outdated. It is gradual, error-prone, and difficult to scale.
Be part of Kandji + Tines on June 4 to see why outdated strategies fall quick. See real-world examples of how trendy groups use automation to patch quicker, lower threat, keep compliant, and skip the complicated scripts.
