The FBI has revealed that the Play ransomware gang has breached around 900 organizations as of May 2025, three times more than previously reported in October 2023.
This update came as part of a joint cybersecurity advisory with CISA and the Australian Cyber Security Centre.
Play ransomware, also known as Playcrypt, has been active since June 2022 and continues to target businesses and critical infrastructure across North America, South America, and Europe. It was one of the most aggressive ransomware groups in 2024, and its activity has not slowed down this year.
The group is known for using newly recompiled malware in each attack, making it harder for antivirus tools to detect them. In some cases, the attackers even call victims by phone, threatening to leak their data unless a ransom is paid.
Security experts have also linked Play ransomware to recent attacks that exploited vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) in remote monitoring and management (RMM) tools. In one incident, attackers used these flaws to break into systems running SimpleHelp RMM, created admin accounts, and installed backdoors with Sliver malware—likely setting up for future ransomware deployment.
Unlike many other ransomware operations, Play doesn’t use a Tor site for ransom negotiations. Instead, victims are contacted through email. The gang also uses a special tool to extract data from shadow copies, allowing them to steal files even if they’re being protected by backup software.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Some of Play’s most high-profile victims include Rackspace, the City of Oakland, Dallas County, Arnold Clark, the City of Antwerp, Krispy Kreme, and Microchip Technology.
