Play ransomware group has made over 900 victims

Over the past few years, the Play ransomware operation has affected approximately 900 businesses and organizations with ransomware attacks.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have released a joint advisory on the Play ransomware group, updating the public on the group’s latest term tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs).

The Play ransomware operation, also known as Playcrypt, has been around since June 2022 and has impacted a wide range of businesses and critical infrastructure entities in North America, South America, and Europe. The group was one of the most active ransomware operations in 2024. Roughly 900 organizations have fallen victim to Play ransomware.

The Play ransomware group gains initial access to a victim’s networks through the abuse of valid accounts, most likely purchased on the dark web, or known vulnerabilities in FortiOS, Microsoft Exchange, and the remote monitoring and management tool SimpleHelp.

Members use tools like AdFind to run Active Directory queries and infostealer malware, such as Grixba, to collect network information and scan for antivirus software. Tools like GMER, IOBit, and PowerTool are then used to disable antivirus software and remove log files.

Play ransomware actors use command and control (C2) applications, including Cobalt Strike and SystemBC, and tools like PsExec to help with lateral movement and file execution. Data is then collected, compressed into segments, and transferred to accounts that are controlled by the ransomware operation.

The group employs a double extortion model, meaning members encrypt digital files and systems after exfiltrating data. Victims are encouraged to contact the threat actor via email to negotiate a ransom demand. Each victim receives a unique @gmx.de or @web.de to communicate with.

Ransom payments are paid in cryptocurrency to wallet addresses provided by Play members. If a victim refuses to pay the ransom demand, the ransomware actors threaten to publish exfiltrated data to their leak site on the Tor network.

The advice to prevent attacks by the Play ransomware hasn’t changed since the last update. Organizations are called upon to implement a recovery plan, to enable multifactor authentication (MFA) for all accounts, in particular for VPN, webmail, and accounts that have access to important systems, and to regularly scan their networks for vulnerabilities.