Play Ransomware Resurfaces With New Tricks, Hits Hundreds Worldwide | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The Play ransomware group is back, and sharper than ever. A newly updated joint advisory from the FBI, CISA, and Australia’s ASD confirms the group is refining its tactics, expanding its reach, and leaving behind a trail of encrypted chaos across critical infrastructure and enterprises alike. 

As of May 2025, nearly 900 entities have been compromised globally. Victims span North and South America, Europe, and Australia. Many didn’t see it coming. And when they did, it was already too late. 

A Familiar Threat, Evolved 

First detected in June 2022, Play (also known as PlayCrypt) rose to infamy with its “no-frills” approach: no ransom amount, no payment link, just an email address in the ransom note. Victims are expected to reach out. If they don’t, they’re called. Sometimes, help desks or public-facing lines are targeted to increase pressure. 

The group uses a double extortion model. First, it steals data. Then, it encrypts systems. Victims face a choice: pay or risk public exposure on Play’s Tor-based leak site. 

The malware is modular and persistent. Each campaign sees a freshly compiled ransomware binary, rendering signature-based detection ineffective. And now, the group has added new tricks. 

New Exploits and Entry Points 

According to the 4 June 2025 update, Play-linked actors and their initial access brokers have weaponized a trio of vulnerabilities in the SimpleHelp remote monitoring tool (CVE-2024-57727). These bugs, disclosed in January, have since been used for remote code execution across U.S.-based targets. 

The group still leans on old favorites too. FortiOS and Microsoft Exchange vulnerabilities remain top attack vectors. RDP and VPN endpoints are probed and exploited. Compromised credentials bought on the dark web pave the way. 

Once inside, Play actors don’t wait around. Tools like AdFind and GMER help them scan the network. Mimikatz and WinPEAS escalate privileges. Then comes the lateral movement (Cobalt Strike, PsExec, SystemBC) before the exfiltration and encryption phase kicks in. 

The Human Touch 

Play’s tactics aren’t purely technical. There’s psychological warfare at play. 

Beyond emails, some victims report receiving phone calls. Callers threaten to leak stolen data. These calls often reach customer service lines or publicly listed numbers, found in open-source records. The goal? Instill panic. Drive payment. 

ESXi Variant: Virtual Chaos 

Not just Windows machines are under threat. Play has an ESXi variant that targets virtual infrastructure. Once deployed, it shuts down all running VMs, encrypts critical files (.vmdk, .vmx, .log, and more), and leaves ransom notes on root directories and ESXi interfaces. 

The variant uses AES-256 encryption and supports command-line arguments for testing and customization, making each attack tailored, flexible, and harder to stop. 

Defenders, Take Note 

Authorities urge organizations to act now: 

• Patch known exploited vulnerabilities. Prioritize them. 

• Enforce multifactor authentication, especially for VPNs, webmail, and privileged accounts. 

• Keep offline backups. Test recovery plans. 

• Update all systems and software. Regularly scan for weaknesses. 

This isn’t the first time Play has made headlines, and it won’t be the last. But armed with the right intelligence and precautions, defenders have a fighting chance. 

Visit StopRansomware.gov for full advisories, IOCs, and free tools to protect your organization. 

When it comes to ransomware, prevention is still the best defense. 

Downloadable Resources 

• #StopRansomware: Play Ransomware PDF (June 2025) 

• IOCs – STIX JSON/XML (June 2025) 

• Historic IOCs – STIX JSON/XML (Dec 2023) 

For technical teams, full MITRE ATT&CK mappings and YARA rules are included in the advisory. 

Stay alert. Stay patched. Stay ahead.