FBI issues alert as Play ransomware gang victim list passes 300 mark

Warning symbol in yellow pictured on a digital blue background signifying a security alert
(Image credit: Getty Images)

The FBI and other cyber security agencies are warning about the rise of the Play ransomware double-extortion group which has now attacked hundreds of organizations.

Since June 2022, Play ransomware - also known as Playcrypt - has hit a wide range of businesses and critical infrastructure organizations in North America, South America, and Europe, the cyber security advisory said.

The FBI said that, as of October this year, it knew of around 300 organizations that had been attacked by the ransomware group. Play ransomware was believed to be used in an attack on the City of Oakland and others including Rackspace.

The Play ransomware attackers use a double-extortion model, which means they encrypt their victims’ systems after first stealing key data. 

But unlike other gangs, it requires victims to communicate with it via email, and the FBI said it operates as “a closed group” to keep its deals secret.

How does Play ransomware operate?

The advisory provides some details of the Play group’s techniques, noting that it gains initial access to its victim’s networks by abusing valid accounts and exploiting internet-facing applications through known FortiOS and Microsoft Exchange - ProxyNotShell vulnerabilities. 

They have also been spotted using services such as remote desktop protocol and virtual private networks for initial access. The attackers then use tools to run Active Directory queries and information-stealers to discover network information and scan for antivirus software.

Thereafter, attackers attempt to switch off anti-virus software and remove log files.

“In some instances, cyber security researchers have observed Play ransomware actors using PowerShell scripts to target Microsoft Defender,” the FBI advisory noted.

Once established on a network, the threat actors search for unsecured credentials in order to gain domain administrator access, or otherwise escalate their privileges to access data. They will then split stolen data into segments, compress files and transfer data out of the network.

After this they deploy the ransomware to encrypt files with AES-RSA hybrid encryption using intermittent encryption.

The ransom note directs victims to contact the Play ransomware group via email if a victim refuses to pay the cryptocurrency ransom demand, the ransomware actors threaten to publish exfiltrated data to their leak site.

How to counter Play ransomware threats

The FBI and other agencies listed a number of steps that organizations should take to make themselves a harder target for ransomware gangs. 

These included:

  • Implementing a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (for example a hard drive, storage device, the cloud).
  • Requiring strong passwords and multifactor authentication for webmail, virtual private networks, and accounts that access critical systems.
  • Keep operating systems, software, and firmware up to date, and prioritize patching known exploited vulnerabilities in internet-facing systems.
  • Segmenting networks to prevent the spread of ransomware because by controlling traffic flows between — and access to — subnetworks you can limit the spread of an attack.
  • Identifying, detecting, and investigating abnormal activity with a network monitoring tool.

Ransomware outlook for 2024 is bleak

Ransomware continues to be a significant problem for business globally. 

According to research by security company Sophos earlier this year, two thirds of companies said they had been hit by ransomware. The most common reported root cause of attack was an exploited vulnerability (36% of cases), followed by compromised credentials (in 29% of cases).

For organizations that fall victim to a ransomware attack, deciding how to respond is hard.

According to Sophos, around half that had their data encrypted paid the ransom and re-gained access to data. But paying up can actually increase the costs of an attack to an average of $750,000 in recovery costs compared to the $375,000 cost for organizations that used backups to get data back.

That’s because victims don’t always get the files back and have to rebuild from backups as well, while negotiating with the criminals also slows down incident response.

Jake Moore, global cyber security advisor at security company ESET said ransomware attacks almost always now involve the release of data, or at least the threat of it, rendering backups insufficient in defending against these attacks.


2023 ThreatLabz state of ransomware report

(Image credit: Zscaler)

Learn all about the evolution of ransomware and current attack sequence


“Once threat actors obtain critical sensitive data, they can demand any ransom they choose. Unfortunately, the norm is increasingly seeing data being released into the vast expanse of the internet,” he said.

The outlook for 2024 isn’t particularly positive, so individuals must consistently strengthen their own defenses and remain vigilant against common attacks like phishing and smishing.

Moore noted that the emergence of generative AI tools among threat actors has raised the stakes for organizations, enabling attackers to ramp up attacks and employ more sophisticated techniques.

“With the aid of faster computing power and impressive AI technology, fraudsters leverage their available resources to target victims using sophisticated tactics, coercing them into unknowingly divulging more information,” he warned.

Steve Ranger

Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.