In an update to a joint advisory with CISA and the Australian Cyber Security Centre, the FBI said that the Play ransomware gang had breached roughly 900 organizations as of May 2025, three times the number of victims reported in October 2023.

“Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. Play ransomware was among the most active ransomware groups in 2024,” the FBI warned.

“As of May 2025, FBI was aware of approximately 900 affected entities allegedly exploited by the ransomware actors.”

Today’s update also notes that the gang uses recompiled malware in every attack, making it more difficult for security solutions to detect and block it. Additionally, some victims have been contacted via phone calls and threatened to pay the ransom to prevent their stolen data from being leaked online.

Since the start of the year, initial access brokers with ties to Play ransomware operators have also exploited several vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) in the remote monitoring and management tool in remote code execution attacks targeting U.S. organizations.

In one such incident, unknown threat actors targeted vulnerable SimpleHelp RMM clients to create admin accounts, backdoored the compromised systems with Sliver beacons, potentially preparing them for future ransomware attacks.

The Play ransomware-as-a-service (RaaS) operation

The Play ransomware gang surfaced almost three years ago, with the first victims reaching out for help in BleepingComputer’s forums in June 2022. Before deploying ransomware on the victims’ networks, Play affiliates steal sensitive documents from compromised systems and use them to pressure victims into paying ransom demands under the threat of publishing the stolen data on the gang’s dark web leak site.

However, unlike other ransomware operations, Play ransomware uses email as a negotiation channel and will not provide victims with a Tor negotiations page link.

The ransomware gang also uses a custom VSS Copying Tool that helps steal files from shadow volume copies, even when used by other applications.

Previous high-profile Play ransomware victims include cloud computing company Rackspace, the City of Oakland in California, Dallas County, car retailer giant Arnold Clark, the Belgian city of Antwerp, and, more recently, doughnut chain Krispy Kreme and American semiconductor supplier Microchip Technology.

In guidance issued by the FBI, CISA, and the Australian Cyber Security Centre, security teams are urged to prioritize keeping their systems, software, and firmware up to date to reduce the likelihood that unpatched vulnerabilities are exploited in Play ransomware attacks.

Defenders are also advised to implement multifactor authentication (MFA) across all services, focusing on VPN, webmail, and accounts with access to critical systems in their organizations’ networks.

Additionally, they should maintain offline data backups and develop and test a recovery routine as part of their organization’s standard security practices.