Play Ransomware: The Evolving Threat to Critical Infrastructure

ATTENTION, NETWORK DEFENDERS! The FBI, Cybersecurity and Infrastructure Security Agency, and Australian Cyber Security Centre have just dropped a bombshell advisory on the Play ransomware group. This cyber menace, active since 2022, has already impacted a staggering 900 victims across North America, South America, and Europe. And the threat is only growing!

DO THIS NOW! Implement multifactor authentication, maintain offline backups, develop a recovery plan, and keep all systems updated. This is not just a recommendation; it's a mandate to protect your organization from the Play ransomware group's double-extortion model. These cybercriminals encrypt your systems after exfiltrating data, leaving you with no initial ransom demand or payment instructions. Instead, they instruct you to contact them via email, adding an extra layer of pressure.

THIS IS A NO-BRAINER! The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals.” They use tools like AdFind to run Active Directory queries and Grixba to enumerate network information. They disable anti-virus software with tools like GMER, IOBit, and PowerTool, and remove log files to cover their tracks. They use command and control (C2) applications like Cobalt Strike and SystemBC, and tools like PsExec, to assist with lateral movement and file execution. They search for unsecured credentials and use the Mimikatz credential dumper to gain domain administrator access. They split compromised data into segments and use tools like WinRAR to compress files into .RAR format for exfiltration. They then use WinSCP to transfer data from a compromised network to actor-controlled accounts. Following exfiltration, files are encrypted with AES-RSA hybrid encryption using intermittent encryption, encrypting every other file portion of 0x100000 bytes. System files are skipped during the encryption process. A .play extension is added to file names and a ransom note titled ReadMe is left behind.

YOU NEED TO OWN THIS! The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact.

THIS IS A GAME-CHANGER! The Play ransomware group has targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ACTION! Healthcare organizations, which are particularly vulnerable to ransomware attacks, can implement several specific measures to protect against the evolving tactics of the Play ransomware group. These measures include implementing multifactor authentication, maintaining offline backups of data, developing and testing a recovery plan, keeping all operating systems, software, and firmware updated, monitoring network traffic and implementing security tools, educating and training employees, and using specialized security solutions.

THIS IS A WARNING! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ARMS! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ACTION! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ARMS! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ACTION! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ARMS! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ACTION! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ARMS! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ACTION! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ARMS! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ACTION! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ARMS! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ACTION! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded targeting scope. They have targeted over 300 entities across North America, South America, Europe, and Australia, affecting sectors such as telecommunications, healthcare, media, transportation, construction, and government. They have been observed deploying attacks on India, Hungary, Spain, and the Netherlands. They have recently started exploiting the ProxyNotShell vulnerabilities in Microsoft Exchange. The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people.

THIS IS A CALL TO ARMS! The Play ransomware group is a serious threat to critical infrastructure. They have targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025, highlighting the group's rapid expansion and increased impact. The Play ransomware group has evolved its tactics to include custom-coded malware for each breach, direct communication with victims, exploitation of new vulnerabilities, and an expanded