Recommended reading

FBI warns Play ransomware hackers have hit nearly a thousand US firms

News
By published

Hackers have added phone calls to their extortion tactics

A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
(Image credit: Getty Images)
  • Play Ransomware has hit 900 companies so far, new FBI advisory claims
  • The group is calling victims on the phone to try and force them to pay the ransom demand
  • It also added new vulnerabilities to its arsenal

Play Ransomware’s “body count” is almost hitting four digits, a new warning from top legal enforcement has revealed, urging businesses to stay on guard against attacks.

In an updated security advisory, published by the FBI, CISA, and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), it was said that Play and its affiliates exploited “approximately 900 entities”.

Play Ransomware, also known as Playcrypt, is an infamous ransomware operator. It is known for using the atypical triple-extortion method in which, besides encrypting and exfiltrating files, it also calls its victims on the phone to convince them to pay up.

SimpleHelp flaws targeted

The security agencies’ security advisory has been updated to reflect changes Play and its affiliates made in recent times. For example, it was said that the victims get a unique @gmx.de, or @web.de email address, through which they’re invited to communicate with the attackers.

Furthermore, the group seems to have added new vulnerabilities to the ones they were already targeting. Besides FortiOS (CVE-2018-13379, and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell CVE-2022-41040 and CVE-2022-41082) bugs, they are now exploiting CVE-2024-57727 in remote monitoring and management (RMM) tool SimpleHelp, which they’re using for remote code execution (RCE) capabilities.

This vulnerability was first spotted in mid-January 2025, and has been exploited since.

To make things even worse, the agencies are saying that the Play ransomware binary is recompiled for every attack, which means it gets a new, unique hash, for each deployment. This complicates anti-malware and antivirus program detection.

Play was first spotted around 2020, and in the past, was known for targeting Windows-powered devices, but in late July 2024, security researchers saw a Linux variant targeting VMWare ESXi environments.

In a technical breakdown, Trend Micro’s Threat Hunting team said at the time that it was the first time Play was seen targeting ESXi environments, and it could be that the criminals are broadening their attacks across the Linux platform.

Via The Register

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.