The Cybersecurity and Infrastructure Security Agency (CISA), alongside the Federal Bureau of Investigation (FBI) and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), has released detailed Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) for the notorious Play ransomware group.
As of May 2025, the FBI has identified approximately 900 entities allegedly exploited by these threat actors, underscoring the significant scale and impact of this ransomware variant across North America, South America, and Europe since its emergence in June 2022.
Known also as Playcrypt, this ransomware group has been among the most active in 2024, targeting a broad spectrum of businesses and critical infrastructure with a sophisticated double extortion model.
The advisory, updated on June 4, 2025, details how Play ransomware actors gain initial access by exploiting vulnerabilities in public-facing applications, such as FortiOS (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange (ProxyNotShell vulnerabilities CVE-2022-41040 and CVE-2022-41082), alongside abusing valid accounts likely procured from dark web markets.
They leverage external-facing services like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN) for entry, with recent reports highlighting exploitation of SimpleHelp remote monitoring and management tool vulnerabilities (CVE-2024-57727) for remote code execution.
Over 900 Entities Affected by Sophisticated Double Extortion Model
Once inside, the group employs tools like AdFind for Active Directory queries and Grixba, an information-stealer, for network enumeration, while disabling antivirus software using tools such as GMER and IOBit.
Their lateral movement is facilitated by command and control applications like Cobalt Strike and SystemBC, with Mimikatz used for credential dumping to gain domain administrator access.
A unique aspect of their operation is recompiling the ransomware binary for each attack, resulting in distinct hashes that evade traditional anti-malware detection, complicating defense efforts.
Play ransomware’s impact is amplified by its double extortion strategy, encrypting systems post-data exfiltration and demanding cryptocurrency ransoms via unique @gmx.de or @web.de email addresses provided to victims.
Non-compliant organizations face threats of data leaks on the group’s Tor network site, often accompanied by direct phone calls to pressure payment.
The group’s ESXi variant specifically targets virtual environments, encrypting files with extensions like .vmdk and .vmx using AES-256 encryption while shutting down virtual machines.
The advisory emphasizes urgent mitigation steps, including multifactor authentication, regular software patching, network segmentation, and maintaining offline encrypted backups to curb the ransomware’s spread and impact.
Organizations are also encouraged to validate security controls against the MITRE ATT&CK framework techniques outlined in the report to strengthen defenses against this evolving threat.
This comprehensive update serves as a vital resource for network defenders aiming to fortify their systems against Play ransomware’s persistent and evolving threat landscape.
Indicators of Compromise (IoCs)
| Hash (SHA-256) | Description |
|---|---|
| 47B7B2DD88959CD7224A5542AE8D5BCE928BFC986BF0D0321532A7515C244A1E | SVCHost.dll (Backdoor) |
| 75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54A | Backdoor |
| 1409E010675BF4A40DB0A845B60DB3AAE5B302834E80ADEEC884AEBC55ECCBF7 | PSexesvc.exe (Custom Play “psexesvc”) |
| 0E408AED1ACF902A9F97ABF71CF0DD354024109C5D52A79054C421BE35D93549 | HRsword.exe (Disables endpoint protection) |
| 6DE8DD5757F9A3AC5E2AC28E8A77682D7A29BE25C106F785A061DCF582A20DC6 | Hi.exe (Associated with ransomware) |
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
