The US Federal Bureau of Investigation (FBI) has disclosed that the Play ransomware group has infiltrated around 900 organisations by May 2025, a significant increase from the numbers recorded in October 2023. This update comes in conjunction with a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre.
“Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe,” warned the FBI. “As of May 2025, FBI was aware of approximately 900 affected entities allegedly exploited by the ransomware actors.”
The Play ransomware group employs recompiled malware in each attack, complicating efforts by security solutions to detect and block their activities. Some victims have been subjected to phone threats, urging them to pay ransoms to prevent data leaks.
Since early 2025, initial access brokers linked to Play ransomware have exploited vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) in remote monitoring and management tools, targeting US organisations through remote code execution attacks. In one incident, threat actors attacked vulnerable SimpleHelp RMM clients, creating admin accounts and backdooring systems with Sliver beacons, potentially setting the stage for future ransomware attacks.
Before deploying ransomware, the Play ransomware group affiliates extract sensitive documents from compromised systems to pressure victims into paying ransoms, threatening to publish the stolen data on the gang’s dark web leak site. Unlike other ransomware groups, the Play ransomware group uses email for negotiations and does not provide a Tor negotiations page link. The group also employs a custom VSS Copying Tool to steal files from shadow volume copies, even if used by other applications.
FBI advises enhanced security measures against rising ransomware threat
Notable victims of Play ransomware include Rackspace, the City of Oakland, Dallas County, Arnold Clark, the Belgian city of Antwerp, Krispy Kreme, and Microchip Technology. The FBI, CISA, and the Australian Cyber Security Centre advise security teams to keep systems, software, and firmware updated to mitigate the risk of unpatched vulnerabilities being exploited. They recommend implementing multifactor authentication (MFA) across all services, especially for VPN, webmail and accounts with critical system access.
In a related development, the FBI warned about the Silent Ransom Group (SRG), also known as Luna Moth, which has targeted US law firms over the past two years. The group uses tactics such as callback phishing and social engineering to gain unauthorised access to legal practices, aiming to extort sensitive data for ransom.
