The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have updated an earlier published joint cybersecurity alert regarding the Play ransomware group, also called Playcrypt.
Playcrypt appeared in June 2022 and has executed ransomware attacks on companies in various industries, such as HIPAA-compliant healthcare organizations and other critical infrastructure entities. The ransomware group mostly executes attacks in Europe, North America, and South America, and has attacked roughly 900 companies. When the FBI and CISA released their latest information regarding the group in December 2023, Playcrypt had already attacked around 300 companies. The group increased attacks in 2024 and is now considered a very active ransomware group.
Similar to many ransomware groups, Playcrypt uses double extortion tactics, extracting sensitive information prior to encrypting files. The group sends ransom demands to victims and requires payment to stop the leakage of their stolen information and to get the decryption keys. Victims need to get in touch with the ransomware group through email to discuss payment. If not, Playcrypt actors use different phone numbers to contact the victims and threaten them to expose their stolen information.
Playcrypt can use different methods for preliminary access, such as abusing credentials for legal accounts, taking advantage of vulnerabilities in public-facing apps, and using Virtual Private Networks (VPNs) and Remote Desktop Protocol (RDP). Playcrypt has exploited the following vulnerabilities: Microsoft Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082, and the FortiOS vulnerabilities CVE-2018-13379 and CVE-2020-12812. This 2025, the group took advantage of three vulnerabilities, CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, identified in the SimpleHelp remote monitoring and management solution to attack U.S.-based organizations.
The group utilizes tools including AdFind for managing Active Directory inquiries, the Grixba data stealer to enumerate system data, GMER, IOBit, and PowerTool for getting rid of log files and deactivating anti-virus programs, PowerShell scripts to turn off Microsoft Defender, PsExec for file execution and lateral movement, and Mimikatz for acquiring domain admin credentials. To avoid security programs, Playcrypt compiles its ransomware binary for every attack, with every binary possessing a different hash, which includes its ESXi and Windows variants.
The current cybersecurity alert contains the most recent tactics, techniques, and procedures (TTPs), new indicators of compromise (IoCs), and Yara rules. To fight attacks, the FBI and CISA advise making sure all software, firmware, and operating systems are updated, using multi-factor authentication, backing up regularly and storing securely off the internet, and creating and routinely evaluating a response and recovery strategy.