The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC), has released an updated fact sheet detailing new insights on the “Play” ransomware group, which is actively targeting U.S. critical infrastructure and organizations worldwide.
A new report on tactics used by the group, also known as Playcrypt, is an update to a February messaging from the FBI published on June 4, 2025, which details the group’s evolving methodology that had affected roughly 900 organizations between its discovery in June 2022.
The advisory details a major ramp-up of Play’s operations, especially during 2024, and one of the most active ransomware groups. The group operates a “double extortion” model, first extracting sensitive data and then locking up systems, and threatening to disclose the stolen information unless a ransom is paid.
Unlike many ranssomware groups, Play also typically does not use a dark web negotiation portal, preferring to have victims contact it through unique email addresses and even making phone calls to organizations to pressure them to pay in some cases.
One of the key points made in the refreshed advisory are the still ongoing attacks targeting public facing applications and remote monitoring and management tools (RMM) being exploited by Play.
In particular, the team has been seen exploiting bugs in FortiOS, Microsoft Exchange, and most recently, the three SimpleHelp RMM tool bugs (CVE-2024-57728, CVE-2024-57727, and CVE-2024-57726). These are the vulnerabilities by which attackers initially infiltrate networks.
Once in, the Play actors leverage a variety of tools for network discovery, privilege escalation, and lateral movement, such as AdFind for Active Directory queries, Mimikatz for credential dumping, and Cobalt Strike for command and control. To avoid detection, the gang typically recompiles its ransomware binary for each attack, producing unique hashes that outwit legacy signature-based antiviruses.
CISA and the FBI recommend organizations take action now to reduce their risk against Play ransomware. Recommended actions Prioritise patching of vulnerabilities that have been exploited known to have been exploited and look at implementing multi-factor authentication across all services Ensure you’re maintaining offline backups and that they are regularly tested so you’re not backing up corrupted files Establish and exercise an incident response and recovery plan.
The growing danger posed by Play ransomware demonstrates the urgency for cybersecurity strategies to be activated in order to defend essential assets and enterprises against these organized attacks.
