FBI issues Play ransomware warning as attacks multiply.
Update, June 6, 2025: This story, originally published on June 5, has been updated with additional technical information regarding the Play ransomware threat, about which the FBI has issued a critical joint CISA security advisory, as well as an associated cybercrime group known as Balloonfly.
The Federal Bureau of Investigation has issued a joint cybersecurity advisory in conjunction with the U.S. Cybersecurity and Infrastructure Security Agency, as the number of confirmed observed victims of Play ransomware attacks skyrocketed in May. The threat actors have, the FBI warned, impacted victims covering a broad spectrum of organisations, including businesses as well as critical infrastructure providers, in both North and South America, as well as across Europe. Here’s what you need to know and, more importantly, do to mitigate the chances of your organisation becoming the next on the list.
FBI And CISA Say Act Now As Play Ransomware Actors Accelerate Attacks
As part of a joint effort between the FBI, CISA and the Australian Cyber Security Centre, the latest update to the Play ransomware cybersecurity advisory comes as result of new investigations this year that have uncovered an evolution of the cybercriminal group’s tactics, techniques and procedures. In May, the FBI confirmed that it had become aware of 900 organizations that had been exploited by the crime gang and had fallen victim to the Play ransomware attacks. To put that in some perspective, it is three times the number when the FBI last released such information.
The joint critical cybersecurity advisory, which forms part of the ongoing Stop Ransomware campaign, aims to help organizations best defend themselves against attacks by keeping them informed of changes to the aforementioned tactics, techniques, and procedures, as well as new indicators of compromise that can be useful in attack detection efforts.
Advisory AA23-352A warned that Play is thought to be what is known as a closed ransomware group actor, acting alone to “guarantee the secrecy of deals” when it comes to the exfiltrated data that is held to ransom. The ransom notes that are left with the victim do not, the advisory stated, “include an initial ransom demand or payment instructions; rather, victims are instructed to contact the threat actors via email.” Those emails have one of two German email domains, but the actual email address is unique in every case. “A portion of victims are contacted via telephone,” the FBI said, “and are threatened with the release of the stolen data and encouraged to pay the ransom.” These tactics are designed to lead the victim straight onto a negotiation footing where the attacker has the upper hand.
Inside The Play Ransomware Threat — The FBI Confirms Technical Details Of Attacks
Thought to be linked to a North Korean state-sponsored attack group, one that is known to be part of the Democratic People’s Republic of Korea’s “Reconnaissance General Bureau,” known as Andariel, Play ransomware is thought to be distributed by threat groups including Balloonfly. Researchers have expressed the opinion that Play forms an “integral part” of the Andariel cyberattack arsenal.
Using a malware backdoor to infect Windows systems, Balloonfly has been linked to multiple incidents involving the deployment of Play ransomware, according to Symantec Threat Hunter researchers, mostly against businesses across the U.S. and Europe.
The Microsoft Threat Intelligence Center and Microsoft Security Response Center previously found Play ransomware being deployed after threat actors used a zero-day security vulnerability in the Windows Common Log File System. That vulnerability, CVE-2025-29824, was mitigated by the April Patch Tuesday release. Other vulnerabilities, that have been known to have been exploited by the Play ransomware attackers, have included CVE-2022-41040 and CVE-2022-41082, which affected Microsoft Exchange Server, and CVE-2020-12812 and CVE-2018-13379 impacting Fortinet’s FortiOS. All of which have been patched, but it bears repeating that if you haven’t patched these yet, you need to do so as a matter of some critical urgency.
The FBI security advisory also confirmed that Play ransomware attackers are gaining initial access by exploiting “external-facing services such as Remote Desktop Protocol and Virtual Private Networks.” Once inside a network, Play ransomware actors move laterally by employing well-known command and control applications such as Cobalt Strike and SystemBC, alongside tools including PsExec. “Once established on a network, the ransomware actors search for unsecured credentials and use the Mimikatz credential dumper to gain domain administrator access,” The FBI warned.
FBI Says You Must Act Now To Mitigate These Attacks
The Play ransomware campaign shows no sign of slowing down. For that to happen, organizations need to up their game and get their defenses in order. Erecting mitigation barricades is the only answer to such determined ransomware actors.
The FBI has recommended the following mitigating actions to be taken as a matter of some urgency:
- A recovery plan that includes the retention of multiple copies of data and servers in segregated and separate secure locations.
- Secure password management policies, with passwords of at least 15 characters in length and stored in a hashed and salted format.
- No password reuse.
- No password hints.
- Multiple password failure lockdowns.
- Multi-factor authentication for all accounts.
- Admin credentials should be required to install software.
- Patching and firmware updates must be applied in a timely manner.
- Network segmentation can prevent the spread of ransomware, so apply it.
- Disable all unused ports.
- Disable links in all incoming emails.
- Disable command-line and scripting activities and permissions.
