FBI Aware of 900 Organizations Hit by Play Ransomware – Source: www.securityweek.com

The Play ransomware gang has made roughly 900 victims over the past three years, according to an updated advisory from the US and Australian governments.

Active since June 2022 and also known as Playcrypt, Play is believed to be a closed group, engaging in double-extortion tactics that include exfiltrating victims’ data and leveraging it for extortion, in addition to encrypting systems.

In December 2023, the US cybersecurity agency CISA, the FBI, and the Australian Cyber Security Centre (ACSC) released an advisory on the tactics, techniques, and procedures (TTPs) observed in Play ransomware attacks, saying the group had made roughly 300 victims by October 2023.

On Wednesday, the government agencies updated the advisory to add TTPs seen in fresh attacks, noting that the group had become one of the most active ransomware gangs in 2024.

“As of May 2025, FBI was aware of approximately 900 affected entities allegedly exploited by the ransomware actors,” the updated advisory reads.

Initial access brokers linked to the Play gang, as well as other ransomware groups, have been observed exploiting three vulnerabilities in the remote monitoring and management (RMM) software SimpleHelp, the advisory reads.

Tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, the flaws can be chained to elevate privileges to administrator and execute arbitrary code, fully compromising vulnerable systems.

The updated advisory also warns that Play’s operators recompile the ransomware for each attack, which allows them to evade detection.

Play ransomware victims, the authoring agencies say, receive unique @gmx.de or @web[.]de emails for communication, and some of them are contacted via phone, for extortion purposes.

“Play ransomware targets regularly receive phone calls from threat actors encouraging payment and threatening the release of company information. These calls can be routed to a variety of phone numbers within the organization, including those discovered in open source, such as help desks or customer service representatives,” the advisory reads.

The three agencies also warn of an ESXi variant of the Play ransomware that shuts down all VMs and encrypts files related to them, using per-file keys that are randomly generated.

“Like the Windows variant of Play ransomware, the ESXi variant must be recompiled for each campaign. Through command line flags, the binary supports additional functionality likely used for development and debugging, including exempting specific VMs from encryption, targeting only one file for encryption, or skipping the file extension check and attempting to encrypt all files,” the advisory reads.

Related: DragonForce Ransomware Hackers Exploiting SimpleHelp Vulnerabilities

Related: Second Ransomware Group Caught Exploiting Windows Flaw as Zero-Day

Related: Ransomware Group Claims Theft of Personal, Financial Data From Krispy Kreme

Related: Microchip Technology Reports $21.4 Million Cost From Ransomware Attack