In a joint effort, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ASD’s ACSC) have issued a critical advisory regarding the Play ransomware group, whose activities have affected more than 900 organizations since its rise in June 2022. The release of detailed Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) serves as a crucial resource for organizations looking to protect themselves against this evolving threat.
"The FBI has identified approximately 900 entities allegedly exploited by these threat actors," said an FBI spokesperson. This figure highlights the extensive ramifications of Play ransomware, which has wreaked havoc across North America, South America, and Europe.
"The FBI has identified approximately 900 entities allegedly exploited by these threat actors,"
Known informally as Playcrypt, this ransomware has garnered attention for its aggressive targeting strategy, particularly in 2024, employing a method known as double extortion. This approach not only encrypts sensitive data but also threatens to release it publicly unless a ransom is paid.
The advisory was updated on June 4, 2025, detailing the tactics employed by the Play ransomware actors, particularly their methods for gaining initial access. They exploit vulnerabilities in widely-used public-facing applications, such as those affecting FortiOS and Microsoft Exchange. These vulnerabilities include CVE-2018-13379 and CVE-2020-12812 for FortiOS, and the ProxyNotShell vulnerabilities, CVE-2022-41040 and CVE-2022-41082 for Microsoft Exchange.
Furthermore, the attackers are known to leverage valid accounts likely obtained from dark web marketplaces, providing them with an illicit entry point. "They utilize external-facing services such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN), which further enhances their foothold in systems, alongside recent reports of exploiting vulnerabilities in remote monitoring tools," said a security analyst familiar with the situation.
"They utilize external-facing services such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN), which further enhances their foothold in systems, alongside recent reports of exploiting vulnerabilities in remote monitoring tools,"
Once they infiltrate a system, the Play ransomware actors employ a suite of tools designed for network attack and enumeration. For example, they use AdFind for Active Directory queries and Grixba, an information-stealer, to gather intelligence on the network. The attackers also disable antivirus protection through tools like GMER and IOBit, ensuring they can operate unimpeded once inside.
Their lateral movement within compromised networks is managed through command and control applications, including Cobalt Strike and SystemBC, while credential dumping is executed using Mimikatz, allowing them to gain domain administrator access.
Race Results
Race Results
Race Results
An interesting facet of the Play ransomware's approach is their unique method of compiling the ransomware binary for each operation. This results in distinct hashes, which can evade traditional anti-malware detection systems, making it increasingly difficult for organizations to defend against such attacks.
"This dynamic method of recompiling ransomware adds a layer of complexity for cybersecurity teams tasked with detection and response, complicating their defensive posture," observed a threat intelligence expert.
"This dynamic method of recompiling ransomware adds a layer of complexity for cybersecurity teams tasked with detection and response, complicating their defensive posture,"
Impact and Legacy
Impact and Legacy
The double extortion model employed by Play ransomware amplifies its impact. Once data is exfiltrated, the group encrypts affected systems and demands payment in cryptocurrency via unique email addresses, such as those with the domain @gmx.de. This strategy not only pressures victims to comply but also increases the financial incentive for the attackers to target a wide range of organizations.
As organizations assess their cybersecurity strategies in light of this advisory, the insights provided by CISA, FBI, and ASD's ACSC are invaluable. The detailed examination of TTPs and IoCs emphasizes the need for heightened vigilance.
With the severity and scale of incidents attributed to Play ransomware continuing to rise, cybersecurity experts recommend that all organizations prioritizing security practices review and patch identified vulnerabilities. "Understanding the tactics used by threat actors like Play ransomware is essential for all organizations looking to bolster their defenses," stated a network security specialist.
"Understanding the tactics used by threat actors like Play ransomware is essential for all organizations looking to bolster their defenses,"
As this ransomware's threat continues to evolve, proactive engagement and regular updates to security measures will be critical to thwarting these sophisticated attacks. Awareness and adaptation remain key components in combating the growing landscape of cyber threats.
