No fun: Authorities reveal more info outlining the Play ransomware gang’s operations
American and Australian cyber authorities update advisory outlining prominent ransomware operations’ tactics, techniques, and procedures.
In late 2023, the US Critical Infrastructure & Security Agency and Federal Bureau of Investigation, alongside the Australian Signals Directorate’s Australian Cyber Security Centre released a joint advisory outlining how the Play ransomware gang operates.
At the time, it was a comprehensive roundup of how the gang operated, the tools & techniques it used, and what network defenders needed to be on the lookout for.
You’re out of free articles for this month
However, comprehensive or not, nothing remains static in cyber security, and more has emerged about the Play operation in the last six months. The three authoring agencies recently released an updated advisory, so here’s what we’ve learned since initial publication.
What’s new?
You can read more about the initial advisory here (and we recommend you do), but here we’ll just focus on what’s been learned since then, in some cases in the course of investigations up to January 2025.
Since first observed, and up to date as of May 2025, Play ransomware has now impacted about 900 organisations around the world.
We also know a little bit more about how the gang makes initial contact with its victims.
“Each victim receives a unique @gmx.de or @web[.]de email for communications,” a June 4 update within the advisory reads.
“A portion of victims are contacted via telephone and are threatened with the release of the stolen data and encouraged to pay the ransom.”
Play has also been observed, alongside other actors and access brokers, taking advantage of a vulnerability in the remote management tool SimpleHelp. CVE-2024-57727 was disclosed in January 2025, and has allowed many actors to achieve remote code execution across multiple US entities.
The hackers also go to the trouble of recompiling their ransomware binary after every attack in order to provide a unique hash for each network incursion, making it harder for security software to detect any malicious activity. We also know that Play has an ESXi variant of its malware
“The ESXi variant of Play ransomware invokes shell commands specific to the ESXi environment to conduct tasks, including powering off all running Virtual Machines (VMs), listing machine names, and setting the welcome message of the ESXi interface to the campaign-specific ransom note,” the advisory reads.
“The ransomware binary supports command line arguments; however, if no command line arguments are passed, the malware powers off all VMs and encrypts files related to VMs using randomly generated per-file keys.”
This variant is also recompiled following each attack.
You can read the full updated advisory here for a full list of updated Indicators of Compromise and YARA rules.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
