FlagThis - #fbi

The Play ransomware group has been actively targeting organizations worldwide since June 2022, with the FBI reporting that approximately 900 entities have been compromised as of May 2025. These attacks span across North America, South America, and Europe, targeting a diverse range of businesses and critical infrastructure. The group employs a "double extortion" tactic, exfiltrating sensitive data before encrypting systems, putting additional pressure on victims to pay the ransom.

The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued updated advisories regarding the Play ransomware, highlighting new tactics, techniques, and procedures (TTPs) employed by the group. One notable tactic includes exploiting vulnerabilities in the SimpleHelp remote access tool. Specifically, multiple ransomware groups, including those affiliated with Play, have been actively targeting the CVE-2024-57727 path traversal vulnerability, which allows attackers to download arbitrary files from the SimpleHelp server. The advisories also note that Play operators regularly contact victims via phone, threatening to release stolen data if ransom demands are not met.

To mitigate the threat posed by Play ransomware, authorities recommend several proactive security measures, including implementing multifactor authentication, maintaining offline data backups, and developing and testing a recovery plan. It is also critical to keep all operating systems, software, and firmware updated to patch known vulnerabilities. SimpleHelp has released security updates to address the exploited vulnerabilities and strongly urges customers to apply these fixes immediately. While Play ransomware has been linked to attacks on critical infrastructure, including nine attacks impacting healthcare, experts recommend constant vigilance and proactive security strategies across all sectors.


References :

• cyberinsider.com: FBI: Play Ransomware Breached 900 Organizations Worldwide
• DataBreaches.Net: CISA Alert: Updated Guidance on Play Ransomware
• The Register - Security: Play ransomware crims exploit SimpleHelp flaw in double-extortion schemes
• Tech Monitor: The FBI reports Play ransomware breached 900 firms by May 2025, up from October 2023, using recompiled malware and phone threats for ransoms.
• www.cybersecuritydive.com: The hacker group has breached hundreds of organizations and is working with others to exploit flaws in a popular remote support tool.
• CyberInsider: FBI: Play Ransomware Breached 900 Organizations Worldwide
• securityaffairs.com: Play ransomware group hit 900 organizations since 2022
• www.techradar.com: FBI warns Play ransomware hackers have hit nearly a thousand US firms
• www.cybersecuritydive.com: Understanding the evolving malware and ransomware threat landscape

Classification:

• HashTags: #Ransomware #Cybersecurity #PlayRansomware
• Company: FBI
• Target: 900 Organizations
• Attacker: Play
• Product: Ransomware
• Feature: Ransomware
• Malware: Play Ransomware
• Type: Ransomware
• Severity: Major