The Play ransomware group, one of the most prolific cybercrime syndicates of the past two years, has compromised approximately 900 organizations across multiple continents, according to a joint advisory released this week by the FBI, CISA, and Australia's ASD.
The advisory outlines updated tactics, techniques, and indicators of compromise observed as recently as January 2025.
Initially emerging in June 2022, the Play group, also known as PlayCrypt, has steadily escalated its operations through aggressive double-extortion campaigns. The group exfiltrates sensitive data before encrypting victim systems, coercing payment through threats of public disclosure. These operations span a wide spectrum of targets, including private sector firms and critical infrastructure providers in North and South America, Europe, and Australia.
The FBI-led investigation uncovered the scale of the group's impact, which surged throughout 2024, solidifying Play as one of the most active ransomware actors globally. Their operations are organized through a presumed closed network that minimizes internal leaks and uses unique communication channels, including burner email accounts on German-based services like GMX and Web.de, to interact with each victim. In some cases, victims have been subjected to direct phone threats aimed at pressuring payment.
Recent notable victims of Play ransomware include doughnut and coffee chain Krispy Kreme, and semiconductor manufacturer Microchip Technology.
Play ransomware tactics
Play's attack chain begins with initial access via compromised credentials or exploitation of exposed services, particularly Fortinet's FortiOS (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange (CVE-2022-41040, CVE-2022-41082). In 2025, actors connected to Play also exploited CVE-2024-57727 in SimpleHelp, a popular remote monitoring and management (RMM) tool, to gain remote code execution capabilities.
Once inside, Play operators leverage reconnaissance tools like AdFind, GRIXBA, and Nltest to map the environment and identify security controls. To maintain stealth, they use anti-analysis and evasion tools such as GMER, IOBit, PowerTool, and various PowerShell scripts to disable antivirus software and erase logs.
For lateral movement and privilege escalation, Play frequently employs Cobalt Strike, PsExec, Mimikatz, and WinPEAS, along with custom binaries like PSexesvc.exe and HRsword.exe. Data is typically exfiltrated using WinRAR to compress files and WinSCP for data transfer. The payload is then deployed, encrypting files using AES-RSA hybrid encryption with intermittent file targeting, avoiding critical system files. Encrypted files are appended with a .PLAY extension, and ransom notes are dropped under C:/Users/Public/Music/ReadMe.txt.
Notably, each ransomware binary is recompiled per attack, creating a unique hash signature and complicating detection by antivirus solutions. This tailored approach extends to VMware ESXi environments, where a dedicated Linux ELF variant disables virtual machines, targets VM-specific files, and modifies the ESXi interface to display a ransom demand.
The group's operations are enhanced by a portfolio of legitimate, repurposed tools. For instance, Process Hacker is used for process enumeration, while Plink establishes persistent SSH tunnels. Custom data-gathering tools like GRIXBA (detected via dedicated YARA and Suricata rules) allow attackers to profile victim environments in detail before encryption.
Organizations are recommended to patch known vulnerabilities, enforce multi-factor authentication for all remote services, and maintain offline backups. Also, least-privilege access policies and network segmentation should be followed.
Entities operating RMM tools like SimpleHelp should prioritize patching and review access logs for signs of unauthorized activity. Detection systems should be updated with the latest IOCs, hashes, and YARA rules provided in the CISA bulletin.
Leave a Reply