Emerging Threat: What to Know About the Play Ransomware Group

Cybercriminals continue finding new ways to extort organizations through disruptive ransomware attacks. The latest advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA) and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) shines a spotlight on the increasingly active Play Ransomware group.  

This threat actor has already impacted around 300 entities across the Americas, Europe and beyond. So, what exactly is the Play Ransomware group, and what tactics are they using to compromise networks? Here’s an in-depth look at this mounting threat. 

Play Ransomware double extortion campaigns across industries

Active since June 2022, the Play Ransomware group targets a wide range of sectors, from manufacturing and healthcare to retail and beyond. They encrypt systems after stealing sensitive data, then demand ransom to decrypt files and prevent public leaks of the stolen information. Play Ransomware’s “double extortion” approach puts maximum pressure on victims to pay. 

In recent months, Play Ransomware attacks have surged, with about 300 known victims to date. Ransom notes provide an email address for negotiating with the group but don’t share initial demands, allowing Play to tailor payment amounts based on what they find in compromised networks. With remote work expanding attack surfaces, small businesses can fall victim just like major enterprises. 

Initial Access and Lateral Movement

According to the joint FBI/CISA/ACSC advisory, Play Ransomware primarily gains initial access using stolen credentials of valid accounts and the exploitation of vulnerable public-facing applications, specifically through known FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]) vulnerabilities. Unpatched VPN appliances and Microsoft Exchange servers often provide the first opening. 

Once inside, attackers move laterally across the network searching for additional weaknesses and critical data to steal. They cover their tracks using legitimate tools like PowerShell scripts and batch files. This “living off the land” approach helps Play Ransomware fly low to avoid detection. 

Hardening Defenses Against Extortion Campaigns

With remote work and cloud adoption growing exponentially, organizations must take proactive steps to reduce risk. Core mitigations include: 

• Enabling multi-factor authentication (MFA) across all services to prevent stolen credential use 
• Following NIST password standards and promptly deactivating dormant accounts 
• Segmenting networks to limit adversary spread post-compromise 
• Routinely patching known software vulnerabilities that attackers exploit 
• Deploying advanced endpoint detection and response (EDR) to identify suspicious behaviors 

The Play Ransomware group shows that cyber extortion continues to escalate across borders and industries. As emerging adversaries like this one refine techniques, proactive governance and resilience become imperative. Paying the ransom often simply invites repeat attacks. With threat intelligence and readiness, organizations can disrupt these schemes.