More than 900 organizations have been hit by cyberattacks from the Play ransomware gang since it emerged in 2022, making it one of the most threatening cybercrime groups currently active, according to new data released by the FBI on Wednesday.
The FBI published an update to a 2023 advisory where they initially said the group was responsible for 300 attacks in its first year of operation.
Alongside the Cybersecurity and Infrastructure Security Agency (CISA) and Australia’s cybersecurity agency, FBI officials said the figure had now grown to approximately 900 affected entities as of May 2025.
The updated advisory includes new tactics and other identifiers that the FBI has discovered through multiple investigations.
“Each victim receives a unique @gmx.de or @web[.]de email for communications. A portion of victims are contacted via telephone and are threatened with the release of the stolen data and encouraged to pay the ransom,” the agencies said, adding that some calls are directed toward help desks or customer service representatives.
Law enforcement officials said initial access brokers with ties to Play ransomware operators continue to exploit multiple vulnerabilities — including CVE-2024-57727 — in remote monitoring and management tool SimpleHelp.
The software is used by many of Play’s U.S.-based victims and CVE-2024-57727 caused alarm in January when researchers found more than 3,400 SimpleHelp tools exposed to the internet.
The advisory notes that Play’s operators recompile the ransomware for every attack, making it difficult for defenders to use anti-malware and anti-virus program detection to stop the ransomware.
The agencies previously said Play has attacked a wide range of businesses and critical infrastructure across North America, South America and Europe. The FBI said Play “was among the most active ransomware groups in 2024.”
Play initially caused outrage over dozens of high-profile attacks that left cities like Oakland and Lowell, Massachusetts, as well as Dallas County, scrambling for days to deal with encrypted devices and troves of stolen citizen data. The government of Switzerland also warned that the group had stolen data during an attack on one of its IT providers.
When the Play group first emerged in mid-2022, it targeted government entities in Latin America, according to Trend Micro. But it quickly shifted focus to U.S. entities — targeting American semiconductor manufacturer Microchip Technology and a county government in Indiana last year.
In October, Palo Alto Networks’ Unit42 warned that hackers affiliated with North Korea’s Reconnaissance General Bureau appeared to be collaborating to some extent with Play ransomware actors.
Their investigation revealed the North Korean actors had done the initial work of gaining access to an organization’s systems before the same compromised user account was then used by a hacker who deployed the Play ransomware.
Recorded Future
Intelligence Cloud.
