Cybercriminals continue finding new ways to extort organizations through disruptive ransomware attacks. The latest advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) shines a spotlight on the increasingly active Play Ransomware group.
This threat actor has already impacted around 300 entities across the Americas, Europe and beyond. So, what exactly is the Play Ransomware group, and what tactics are they using to compromise networks? Here’s an in-depth look at this mounting threat.
Active since June 2022, the Play Ransomware group targets a wide range of sectors, from manufacturing and healthcare to retail and beyond. They encrypt systems after stealing sensitive data, then demand ransom to decrypt files and prevent public leaks of the stolen information. Play Ransomware’s “double extortion” approach puts maximum pressure on victims to pay.
In recent months, Play Ransomware attacks have surged, with about 300 known victims to date. Ransom notes provide an email address for negotiating with the group but don’t share initial demands, allowing Play to tailor payment amounts based on what they find in compromised networks. With remote work expanding attack surfaces, small businesses can fall victim just like major enterprises.
According to the joint FBI/CISA/ACSC advisory, Play Ransomware primarily gains initial access using stolen credentials of valid accounts and the exploitation of vulnerable public-facing applications, specifically through known FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]) vulnerabilities. Unpatched VPN appliances and Microsoft Exchange servers often provide the first opening.
Once inside, attackers move laterally across the network searching for additional weaknesses and critical data to steal. They cover their tracks using legitimate tools like PowerShell scripts and batch files. This “living off the land” approach helps Play Ransomware fly low to avoid detection.
With remote work and cloud adoption growing exponentially, organizations must take proactive steps to reduce risk. Core mitigations include:
The Play Ransomware group shows that cyber extortion continues to escalate across borders and industries. As emerging adversaries like this one refine techniques, proactive governance and resilience become imperative. Paying the ransom often simply invites repeat attacks. With threat intelligence and readiness, organizations can disrupt these schemes.