FBI: Over 900 Organizations Disrupted by Play Ransomware Attacks

Since emerging in mid-2022, the Play ransomware gang has been linked to over 900 cyberattacks, making it one of the most prolific and dangerous ransomware groups in operation today, according to a new FBI advisory issued alongside CISA and Australia’s cybersecurity agency.  

This marks a sharp increase from the 300 incidents reported in the group's first year, The Record reports.

The group is known for aggressive tactics, including threatening victims via phone and email with data exposure to coerce ransom payments. It often exploits vulnerabilities in remote monitoring tools like SimpleHelp, including the recently disclosed CVE-2024-57727, which affected thousands of internet-exposed systems.

Play’s operators recompile the ransomware uniquely for each attack, complicating detection by antivirus tools. High-profile incidents include disruptions in Oakland, Dallas County, and attacks on Switzerland’s government IT providers.  

There are also signs of collaboration with North Korean threat actors, where initial access gained by APT groups was followed by ransomware deployment using the same credentials. The FBI has labeled Play as one of the most active ransomware gangs of 2024.

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, Play ransomware is a Ransomware-as-a-Service (RaaS) operation that first appeared in June 2022 and quickly rose to prominence through its technical sophistication, evolving tactics, and high operational tempo.  

The group frequently exploits unpatched vulnerabilities in widely used software, such as Fortinet SSL VPNs and Microsoft Exchange (including ProxyNotShell and OWASSRF), to gain initial access to targeted networks.

Play relies on a combination of advanced tools and techniques to disable security defenses and maintain persistence. It uses PowerTool to disable antivirus and monitoring solutions, SystemBC RAT for ongoing access, and legitimate remote access tools like Plink and AnyDesk to remain undetected in compromised environments.  

For lateral movement, Play deploys Cobalt Strike, while credential harvesting is accomplished through Mimikatz. To evade detection, the group employs tools like Process Hacker, GMER, and IOBit, and disables Windows Defender using PowerShell scripts.  

Play also utilizes intermittent encryption, encrypting only parts of files to bypass detection, and has developed custom exfiltration tools, including the Grixba information stealer and a VSS copying utility.

The group uses AES-256 for file encryption, secured with RSA-4096 for key protection, ensuring that data is rapidly and effectively locked. Play employs a double extortion model, exfiltrating sensitive data before encryption and threatening to publish it on a public leak site if ransom demands are not met. This approach amplifies pressure on victims by adding the risk of reputational damage and regulatory exposure.

Play targets high-value industries such as healthcare, finance, manufacturing, and technology—particularly organizations with large data footprints and critical operations. It tailors ransom demands to the perceived ability of the victim to pay, typically ranging from $100,000 to several million dollars.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.