Updated Play Ransomware Cybersecurity Advisory Issued as Victim Count Reaches 900
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an update to a previously issued joint cybersecurity advisory on the Play ransomware group, also known as Playcrypt.
Playcrypt has been active since June 2022 and has conducted ransomware attacks on businesses in multiple sectors, including healthcare providers and other critical infrastructure entities. The group primarily conducts attacks in North America, South America, and Europe, and is known to have attacked approximately 900 organizations. When CISA and the FBI issued their last advisory about the group in December 2023, Playcrypt had attacked approximately 300 organizations. The group accelerated attacks in 2024 and has become one of the most active ransomware groups.
Like many other ransomware operations, Playcrypt engages in double extortion tactics, stealing sensitive data before encrypting files. Victims are sent ransom demands and are required to pay to prevent the publication of their stolen data and to obtain the decryption keys. Victims are required to contact the group via email to negotiate payment, and are often contacted by phone and threatened with the release of stolen data, with Playcrypt actors often using a variety of phone numbers within each organization.
Playcrypt uses a variety of methods for initial access, including abusing credentials for valid accounts, exploiting vulnerabilities in public-facing applications, and leveraging Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs). Vulnerabilities known to have been exploited by the group include the FortiOS vulnerabilities CVE-2018-13379 and CVE-2020-12812, and the Microsoft Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082. This year, the group has been observed exploiting three vulnerabilities in the SimpleHelp remote monitoring and management tool in attacks on U.S.-based entities – CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The group uses tools such as AdFind for running Active Directory queries, the Grixba information stealer to enumerate network information, GMER, IOBit, and PowerTool for removing log files and disabling anti-virus software, PowerShell scripts to disable Microsoft Defender, PsExec for lateral movement and file execution, and Mimikatz for obtaining domain administrator credentials. In an effort to evade security solutions, Playcrypt recompiles its ransomware binary for each attack, with each binary having a unique hash, including its Windows and ESXi variants.
The updated cybersecurity advisory includes the latest tactics, techniques, and procedures (TTPs), updated indicators of compromise (IoCs), and Yara rules. To combat attacks, CISA and the FBI recommend keeping all software, firmware, and operating systems up to date, implementing multi-factor authentication, ensuring backups are regularly made and stored securely offline, and developing and regularly testing a response and recovery plan.
