The FBI, in an update to the joint advisory with CISA, and the Australian Cyber Security Centre (ACCSC), said that the Play ransomware group had breached approximately 900 organizations by May 2025. This is three times more than the number of victims reported back in October 2023.
“Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. Play ransomware was among the most active ransomware groups in 2024,” The FBIwarned
“As of May 2025, FBI was aware of approximately 900 affected entities allegedly exploited by the ransomware actors.”
The update of today also notes that the group uses recompiled malicious code in every attack. This makes it more difficult for security software to detect and block. Some victims were also contacted by phone and threatened with paying the ransom in order to prevent their stolen information from being leaked on the internet.
Since January, initial access brokers linked to Play ransomware have exploited vulnerabilities (CVE-2024-57766, CVE-2024-577727, and 2024-57728), in the remote monitoring tool, in remote code-execution attacks against U.S.-based organizations. In one incident, unknown threat agents targeted vulnerable SimpleHelp RMM client systems to create admin account, backdoored compromised systems with Sliver beacons, potentially preparing them against future ransomware.
The Play ransomware-as-a-service (RaaS) operation
The Play ransomware gang surfaced almost three years ago, with the first victims reaching out for help in BleepingComputer’s forums in June 2022. Play affiliates steal sensitive data from compromised systems before deploying ransomware. They then use this information to threaten victims into paying the ransom demand, under the threat that the stolen data will be published on the gang’s dark web leak website.
Play ransomware, unlike other ransomware, uses email to negotiate with victims and does not provide a Tor negotiation page link.
In addition, the ransomware gang uses a custom VSS copying tool that can steal files from shadow volumes copies even when they are used by other applications.
Other high-profile victims of Play ransomware include cloud computing company Rackspace and the City of Oakland, California, Dallas County and car retailer Arnold Clark. In guidance from the FBI, CISA and the Australian Cyber Security Centre (ACSC), security teams are encouraged to prioritize keeping systems, software and firmware updated to reduce the likelihood of unpatched vulnerabilities being exploited by Play ransomware.
Defenders should also implement multifactor authentication across all services. They should focus on VPN, webmail and accounts that have access to critical systems within their organization’s networks. As part of the standard security practices, they should also maintain offline data backups as well as develop and test recovery routines.
Why IT teams are abandoning manual patch management.
