In an replace to a joint advisory with CISA and the Australian Cyber Safety Centre, the FBI mentioned that the Play ransomware gang had breached roughly 900 organizations as of Could 2025, thrice the variety of victims reported in October 2023.
“Since June 2022, the Play (also called Playcrypt) ransomware group has impacted a variety of companies and significant infrastructure in North America, South America, and Europe. Play ransomware was among the many most energetic ransomware teams in 2024,” the FBI warned.
“As of Could 2025, FBI was conscious of roughly 900 affected entities allegedly exploited by the ransomware actors.”
Immediately’s replace additionally notes that the gang makes use of recompiled malware in each assault, making it harder for safety options to detect and block it. Moreover, some victims have been contacted through telephone calls and threatened to pay the ransom to stop their stolen information from being leaked on-line.
For the reason that begin of the yr, preliminary entry brokers with ties to Play ransomware operators have additionally exploited a number of vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) within the distant monitoring and administration device in distant code execution assaults focusing on U.S. organizations.
In a single such incident, unknown risk actors focused weak SimpleHelp RMM shoppers to create admin accounts, backdoored the compromised programs with Sliver beacons, doubtlessly getting ready them for future ransomware assaults.
The Play ransomware-as-a-service (RaaS) operation
The Play ransomware gang surfaced virtually three years in the past, with the primary victims reaching out for assist in BleepingComputer’s boards in June 2022. Earlier than deploying ransomware on the victims’ networks, Play associates steal delicate paperwork from compromised programs and use them to strain victims into paying ransom calls for below the specter of publishing the stolen information on the gang’s darkish internet leak website.
Nevertheless, not like different ransomware operations, Play ransomware makes use of e-mail as a negotiation channel and won’t present victims with a Tor negotiations web page hyperlink.
The ransomware gang additionally makes use of a customized VSS Copying Device that helps steal information from shadow quantity copies, even when utilized by different purposes.
Earlier high-profile Play ransomware victims embrace cloud computing firm Rackspace, the Metropolis of Oakland in California, Dallas County, automobile retailer big Arnold Clark, the Belgian metropolis of Antwerp, and, extra lately, doughnut chain Krispy Kreme and American semiconductor provider Microchip Know-how.
In steering issued by the FBI, CISA, and the Australian Cyber Safety Centre, safety groups are urged to prioritize preserving their programs, software program, and firmware updated to scale back the chance that unpatched vulnerabilities are exploited in Play ransomware assaults.
Defenders are additionally suggested to implement multifactor authentication (MFA) throughout all providers, specializing in VPN, webmail, and accounts with entry to essential programs of their organizations’ networks.
Moreover, they need to keep offline information backups and develop and take a look at a restoration routine as a part of their group’s customary safety practices.
Handbook patching is outdated. It is gradual, error-prone, and difficult to scale.
Be part of Kandji + Tines on June 4 to see why outdated strategies fall brief. See real-world examples of how trendy groups use automation to patch quicker, reduce threat, keep compliant, and skip the complicated scripts.
