Do Son 
The FBI has updated its joint advisory with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre, revealing that by May 2025, the number of victims targeted by the ransomware group Play—also known as Playcrypt—had surpassed 900 organizations. This figure is triple the number reported in the autumn of 2023.
Since its emergence in June 2022, Play has launched attacks against a broad spectrum of companies and critical infrastructure across the United States and Europe. According to the FBI, the group ranked among the most prolific cybercriminal operations in 2024, with its activity only intensifying in 2025. Each victim suffered a ransomware attack preceded by the exfiltration of sensitive data and threats of public exposure should the ransom go unpaid.
One of the defining traits of the group is its consistent use of freshly recompiled malware in every attack. This tactic dramatically reduces the efficacy of conventional detection and defense mechanisms, rendering signature-based analysis virtually obsolete. In addition to technical obfuscation, the attackers often place direct phone calls to their victims, escalating psychological pressure and coercing compliance.
Since the beginning of 2025, Play’s operators—working in concert with initial access brokers—have actively exploited vulnerabilities CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 in remote monitoring and management (RMM) systems. These flaws allowed the remote execution of malicious code on victims’ servers. In one such incident, clients of the SimpleHelp platform were targeted: the attackers created administrator-level accounts, deployed Sliver beacons, and left systems backdoored—presumably in preparation for a ransomware deployment.
Play operates under a ransomware-as-a-service (RaaS) model, utilizing a decentralized network of affiliates who share access to a common toolkit and infrastructure. Before launching the encryption payload, cybercriminals exfiltrate sensitive documents—often legal and financial—to amplify the pressure of extortion. Notably, unlike many rival groups, Play does not employ Tor-based negotiation sites. Instead, communication is conducted directly via email.
To extract data even from shadow copies, Play deploys a proprietary Volume Shadow Copy Service (VSS) tool that bypasses standard access restrictions on locked files—substantially increasing the odds of successful data theft, even from protected volumes.
Among the group’s high-profile victims are Rackspace, the City of Oakland, the City of Dallas, auto dealer Arnold Clark, the Belgian city of Antwerp, the Krispy Kreme café chain, and semiconductor manufacturer Microchip Technology.
The FBI, CISA, and Australian cybersecurity authorities stress the urgency of immediate software updates, including firmware and operating system components, to reduce the risk of exploitation. They also strongly recommend enabling multi-factor authentication—particularly for VPNs, webmail, and critical services—as well as maintaining offline data backups and regularly verifying the integrity of recovery procedures.
Donate