Play Ransomware Threatens Global Organizations: FBI Issues Urgent Warning

The Play ransomware gang, also known as Playcrypt, has substantially broadened its reach, compromising around 900 organizations worldwide as of May 2025. This worrisome statistic, detailed in a newly updated joint advisory from the FBI, CISA, and the Australian Cyber Security Centre, marks a threefold increase in victims since October 2023.

Escalating Threat and Global Footprint

Since its debut in June 2022, the Play ransomware-as-a-service (RaaS) operation has become one of the most active ransomware groups in 2024. This adversary targets a vast array of companies and critical infrastructures across North America, South America, and Europe. Recent updates from the FBI underscore the pervasive and escalating nature of its activities.

Sophisticated Tactics and Execution

The Play gang utilizes a sophisticated array of tactics to avoid detection, gain access, and coerce victims:

• Dynamic Malware: The group employs recompiled malware in each attack to hinder detection and blocking by security solutions.
• Direct Threats: Victims have been directly contacted via phone calls and threatened with the public release of their stolen data if the ransom is not paid.
• Exploitation of Vulnerabilities: Initial access brokers with connections to Play ransomware operators have actively exploited several vulnerabilities (specifically CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) in remote monitoring and management (RMM) tools, facilitating remote code execution attacks.
• System Compromise Techniques: A case revealed that unknown threat actors targeted vulnerable SimpleHelp RMM clients to create unauthorized admin accounts and backdoor compromised systems with Sliver beacons.
• Pre-Ransomware Data Exfiltration: A strategy involves stealing sensitive documents from breached systems before deploying the ransomware, using the data to pressure victims into paying ransoms.
• Unique Negotiation Channel: Unlike other ransomware operations, Play exclusively uses email for negotiation and does not furnish a Tor negotiations page link.
• Custom File Theft Tool: The gang utilizes a custom VSS Copying Tool that enables them to steal files from shadow volume copies.

High-Profile Casualties

The Play ransomware gang has demonstrated its ability to compromise high-profile organizations across sectors, with notable victims including:

• Cloud computing company Rackspace
• The City of Oakland in California
• Dallas County
• Car retailer giant Arnold Clark
• The Belgian city of Antwerp
• Doughnut chain Krispy Kreme
• American semiconductor supplier Microchip Technology

Essential Defensive Measures

Given the increasing danger posed by Play ransomware attacks, the FBI, CISA, and the Australian Cyber Security Centre have issued vital guidance for security teams. Organizations are urged to prioritize the following to counteract such attacks:

• Patch Management: Regularly update all systems, software, and firmware to address vulnerabilities that could be exploited.
• Multi-Factor Authentication (MFA): Ensure multifactor authentication across all services, especially for VPNs, webmail, and accounts accessing critical systems.
• Offline Data Backups: Maintain comprehensive offline data backups to ensure data recovery if primary systems are compromised.
• Recovery Routine Development: Develop and regularly test a comprehensive recovery plan as part of standard security procedures.

The rising number of victims and the increasingly sophisticated tactics of the Play ransomware group emphasize the urgent need for robust cybersecurity defenses. Organizations are urged to follow advisories from law enforcement and cybersecurity entities to secure their networks and data against this evolving threat.