Fraud Management & Cybercrime
,
Healthcare
,
HIPAA/HITECH
Group’s Advisory Follows an Updated Joint Alert from US, Australian Agencies
The American Hospital Association is warning hospitals and other healthcare sector organizations of rising double-extortion attack threats involving the Play ransomware group.
See Also: Top 10 Technical Predictions for 2025
The AHA alert follows an updated joint advisory issued last week by the FBI, Cybersecurity and Infrastructure Security Agency and the Australian Cyber Security Centre about Play’s latest tactics.
FBI said it had counted approximately 900 affected organizations that have been exploited by the Play ransomware group – also known as Playcrypt – as of May 2025. The affected companies include a variety of businesses and critical infrastructure firms in North America, South America and Europe. Last year, Play ransomware was among the most active ransomware groups, the FBI said.
“Since the group was first observed in 2022, Play has targeted the healthcare sector around the world,” Scott Gee, the AHA’s deputy national adviser for cybersecurity and risk, told Information Security Media Group.
“This means that they potentially pose a significant threat to hospitals and the healthcare sector because of the impact of a ransomware attack on care delivery,” he said. “This danger comes not only from the threat of direct attacks on hospitals but on critical third-party suppliers that can also disrupt the operations of hospitals.”
The warning from the FBI, CISA and the ACSC underscores the group’s evolving tactics, “and healthcare cybersecurity teams should be aware of the changes,” Gee said in AHA’s alert.
“As threat actors shift tactics, it is critical that network defenders keep pace,” Gee said. “The double-layered extortion model and encryption of systems, as well as theft of data, pose a serious potential risk to hospitals and the delivery of healthcare.”
Latest Play Details
The latest advisory from the government agencies provides an update to a joint warning they issued about Play ransomware in December 2023.
Since that earlier advisory, the Play ransomware group has employed new tactics, techniques and procedures and made other new moves, the government’s latest advisory said.
That includes Play victim each receiving a unique @gmx.de or @web[.]de email for communications. “A portion of victims are contacted via telephone and are threatened with the release of the stolen data and encouraged to pay the ransom,” the government advisory said.
The Play ransomware group gains initial access to victim networks through the abuse of valid accounts, most likely obtained on the dark web, and exploitation of vulnerabilities in public-facing applications such as Fortinet and Microsoft Exchange, and external-facing services such as remote desktop protocol and virtual private networks, the government advisory said.
But now multiple ransomware groups, including initial access brokers with ties to Play ransomware operators, are also exploiting three vulnerabilities – CVE-2024-57727 – in remote monitoring and management tool SimpleHelp to conduct remote code execution at many U.S.-based entities, the joint advisory said (see: Supply Chain Attacks Are Really Surging).
Play ransomware actors use command-and-control applications such as Cobalt Strike and SystemBC and tools including PsExec to help with lateral movement and file execution. “Once established on a network, the ransomware actors search for unsecured credentials and use the Mimikatz credential dumper to gain domain administrator access,” the government agencies said.
When it comes to Play’s exfiltration and encryption, the group’s ransomware binary is now being recompiled for every attack, “resulting in unique hashes for each deployment, complicating anti-malware and anti-virus program detection of the ransomware,” the government agencies’ alert said.
“Play is presumed to be a closed group, designed to ‘guarantee the secrecy of deals,'” AHA said in its advisory.
“They employ a double-extortion model that encrypts systems after exfiltrating data. Their ransom notes do not include an initial ransom demand or payment instructions. Instead, victims are instructed to contact the threat actors via email.”
Organizations, including those in the healthcare sector, are urged to take critical measures to help mitigate Play ransomware threats.
That includes prioritizing mitigation of known vulnerabilities exploited by the group; patching and updating software and applications to their latest versions; conducting regular vulnerability assessments; and implementing multifactor authentication for all services to the extent possible and especially for webmail, VPN, and accounts that access critical systems.
“Sound cybersecurity practices – things like phishing resistant multifactor authentication, controls on VPN access and patch management – are the best ways to defend against attacks from Play,” Gee said.
