Connect with us

Hi, what are you looking for?



Governments Issue Warning After Play Ransomware Hits Hundreds of Organizations 

US and Australian government agencies warn organizations of the Play ransomware group’s double-extortion tactics.

The US cybersecurity agency CISA, the FBI, and the Australian Cyber Security Centre (ACSC) have published a new advisory detailing the tactics, techniques, and procedures (TTPs) associated with Play ransomware attacks.

Also known as Playcrypt, the Play ransomware has been active since June 2022, targeting organizations in the Americas and Europe. The FBI was aware of approximately 300 victims as of October 2023, but a brief SecurityWeek analysis shows that roughly 100 other alleged victims have been added to the group’s leak website in the past two months.

The cybercrime group previously claimed responsibility for the attacks on A10 Networks and City of Oakland.

Likely a closed group, the Play ransomware gang engages in double-extortion tactics, encrypting victims’ systems and exfiltrating their data, threatening to release it publicly unless a ransom is paid.

For initial access, the group has exploited FortiOS and Microsoft Exchange vulnerabilities, as well as valid credentials, and was also observed using RDP and VPN services.

Following initial access, the cybergang would use various tools for Active Directory discovery, network enumeration, anti-virus software identification and disabling, log file removal, lateral movement, credential harvesting, and vulnerability discovery.

The Play ransomware gang was also seen deploying executables via Group Policy Objects (GPO).

The group harvests victim data, splits it into segments, and exfiltrates it to the command-and-control (C&C) server compressed as RAR files. Next, the adversary encrypts the compromised systems using AES-RSA hybrid encryption.

Advertisement. Scroll to continue reading.

Victims are instructed to contact the gang at an email address ending in @gmx[.]de and to pay a ransom demand in cryptocurrency, to a wallet address provided by the attackers.

“Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia,” the government agencies note.

In their advisory, CISA, FBI, and ACSC also provide indicators-of-compromise (IoCs) associated with the Play ransomware attacks, along with recommended mitigation steps, which include the implementation of a recovery plan, the use of strong authentication methods, updating systems and applications, monitoring networks for suspicious activity, using security solutions, and enhancing email protections.

“In addition to applying mitigations, the FBI, CISA, and ASD’s ACSC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, and ASD’s ACSC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory,” the agencies note.

Related: CISA Now Flagging Vulnerabilities, Misconfigurations Exploited by Ransomware

Related: CISA Gets Proactive With New Pre-Ransomware Alerts

Related: US, South Korea: Ransomware Attacks Fund North Korea’s Cyber Operations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.