Cyber Security News

Play Ransomware Infected Over 300 Organizations Worldwide : FBI Warns

The Play ransomware group, also going by the name Playcrypt, has been affecting several kinds of North American, South American, and European enterprises as well as vital infrastructure since June 2022.

The FBI learned of about 300 impacted companies as of October 2023 that the ransomware attackers allegedly took advantage of.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) issued a joint advisory to disseminate IOCs and TTPs discovered as recently as October 2023 by the Play ransomware group.

Specifics of the Play Ransomware Group

The Play ransomware incident was initially noted in Australia in April 2023, and it was most recently detected in November 2023.

A statement on the Play ransomware group’s data leak website states that the group is thought to be closed and created to “guarantee the secrecy of deals.”

The threat actors using play ransomware utilize a double-extortion strategy, first gaining access to computers and then encrypting data.

The initial ransom demand and payment instructions are not included in ransom notes; instead, victims are told to email the threat actors.

By abusing legitimate accounts and taking advantage of public-facing applications, the Play ransomware group first gains access to victim networks. Specifically, this is accomplished through known vulnerabilities in Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]) and FortiOS (CVE-2018-13379 and CVE-2020-12812).

It has been noted that most ransomware actors initially gain access through external-facing services like Virtual Private Networks (VPN) and Remote Desktop Protocol (RDP).

Actors in play ransomware employ tools such as AdFind to execute Active Directory queries and Grixba, an information-stealer, to enumerate network information and scan for anti-virus software.

Additionally, actors utilize tools like GMER, IOBit, and PowerTool to remove log files and disable antivirus software.


  • Prioritize remediating known exploited vulnerabilities.
  • Enable multifactor authentication (MFA) for all services to the extent possible, particularly for webmail, VPN, and accounts that access critical systems.
  • Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.

To mitigate the possibility and effect of ransomware outbreaks, companies are encouraged by the FBI, CISA, and ASD’s ACSC to implement the recommendations provided in the Mitigations.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

LATRODECTUS Loader Getting Popular Among Cybercriminals, Is It Replacing ICEDID!

Hackers use loaders to bypass security measures and run harmful code in a genuine process's…

2 hours ago

30+ Tesla Cars Hacked Using Third-Party Software

A security researcher identified a vulnerability in TeslaLogger, a third-party software used to collect data…

2 days ago

How to Use Threat Intelligence Feeds for SOC/DFIR Teams

Threat intelligence feeds provide real-time updates on indicators of compromise (IOCs), such as malicious IPs…

2 days ago

YARA-X, The Malware Researchers Toolbox Evolved

Malware experts all over the world can't do their jobs without YARA. YARA has been…

2 days ago

SugarGh0st RAT Attacking Organizations & Individuals in AI Research

The cybersecurity company Proofpoint has found a new operation using the SugarGh0st Remote Access Trojan…

2 days ago

New Cyber Attack Targeting Facebook Business Accounts

The email campaign impersonates the Facebook Ads Team to trick users into clicking a malicious…

2 days ago