The FBI has reported an alarming surge in Play ransomware group attacks that infected nearly 900 organizations as of May 2025. Rising Ransomware: Why business and technology leaders must reinforce their commitment to cybersecurity.
As the scope and scale of ransomware continues to escalate, so does the need for businesses to ingrain a cyber resilience and response capabilities across all areas of their operation.
The Play ransomware gang, aka PlayCrypt or Balloonfly, has been active since at least mid-2022 and has allegedly hit dozens of organizations worldwide, including government entities, critical infrastructure, and companies of all sizes. The group’s double-extortion approach entails stealing sensitive information before encrypting systems and threatening to release the exfiltrated data if a ransom isn’t paid.
FBI investigations along with partners such as the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have revealed Play ransomware actors receive the initial access through several methods.
These include the misuse of legitimate accounts that are frequently purchased on the dark web, and the compromise of external facing applications, such as weaknesses in FortiOS and Microsoft Exchange. They have also been seen taking advantage of external-facing services such as Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) to gain an initial foothold.
Once on a network, Play actors use lateral movement tools such as Cobalt Strike and SystemBC for file execution, and have been observed to use part-time encryption to avoid detection. The ransom notes usually ask victims to email the threat actors and sometimes the victims are directly threatened over the phone with data disclosure if payment is not made.
With the increasing number of victims, it’s clear that organizations need to defend themselves even more. The FBI and partners recommend that organizations adopt and incorporate the following basic cyber security best practices to decrease their exposure to threat actors: multi-factor authentication, regularly back up data, implement network segmentation, patch externally facing devices, and practice data minimization and encryption.
Victims of ransomware should report it immediately to IC3 or the FBI field office in their region. gov, as ransom payments do not ensure data will be recovered and can encourage additional criminal activity.
