In an replace to a joint advisory with CISA and the Australian Cyber Safety Centre, the FBI mentioned that the Play ransomware gang had breached roughly 900 organizations as of Might 2025, thrice the variety of victims reported in October 2023.
“Since June 2022, the Play (also called Playcrypt) ransomware group has impacted a variety of companies and significant infrastructure in North America, South America, and Europe. Play ransomware was among the many most energetic ransomware teams in 2024,” the FBI warned.
“As of Might 2025, FBI was conscious of roughly 900 affected entities allegedly exploited by the ransomware actors.”
Right this moment’s replace additionally notes that the gang makes use of recompiled malware in each assault, making it harder for safety options to detect and block it. Moreover, some victims have been contacted by way of cellphone calls and threatened to pay the ransom to forestall their stolen information from being leaked on-line.
For the reason that begin of the 12 months, preliminary entry brokers with ties to Play ransomware operators have additionally exploited a number of vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) within the distant monitoring and administration device in distant code execution assaults concentrating on U.S. organizations.
In a single such incident, unknown risk actors focused weak SimpleHelp RMM shoppers to create admin accounts, backdoored the compromised techniques with Sliver beacons, doubtlessly getting ready them for future ransomware assaults.
The Play ransomware-as-a-service (RaaS) operation
The Play ransomware gang surfaced virtually three years in the past, with the primary victims reaching out for assist in BleepingComputer’s boards in June 2022. Earlier than deploying ransomware on the victims’ networks, Play associates steal delicate paperwork from compromised techniques and use them to strain victims into paying ransom calls for below the specter of publishing the stolen information on the gang’s darkish net leak website.
Nonetheless, not like different ransomware operations, Play ransomware makes use of e-mail as a negotiation channel and won’t present victims with a Tor negotiations web page hyperlink.
The ransomware gang additionally makes use of a customized VSS Copying Instrument that helps steal recordsdata from shadow quantity copies, even when utilized by different functions.
Earlier high-profile Play ransomware victims embrace cloud computing firm Rackspace, the Metropolis of Oakland in California, Dallas County, automobile retailer large Arnold Clark, the Belgian metropolis of Antwerp, and, extra just lately, doughnut chain Krispy Kreme and American semiconductor provider Microchip Expertise.
In steering issued by the FBI, CISA, and the Australian Cyber Safety Centre, safety groups are urged to prioritize preserving their techniques, software program, and firmware updated to cut back the probability that unpatched vulnerabilities are exploited in Play ransomware assaults.
Defenders are additionally suggested to implement multifactor authentication (MFA) throughout all providers, specializing in VPN, webmail, and accounts with entry to essential techniques of their organizations’ networks.
Moreover, they need to keep offline information backups and develop and take a look at a restoration routine as a part of their group’s commonplace safety practices.
Guide patching is outdated. It is gradual, error-prone, and difficult to scale.
Be a part of Kandji + Tines on June 4 to see why previous strategies fall quick. See real-world examples of how trendy groups use automation to patch sooner, minimize threat, keep compliant, and skip the advanced scripts.
Looks like my earlier comment didn’t appear, but I just wanted to say—your blog is so inspiring! I’m still figuring things out as a beginner,and reading your posts makes me want to keep going with my own writing journey.