FBI: Play Ransomware Gang Hits 900 Victims Worldwide

The Play ransomware gang has attacked over 900 organizations since its emergence in 2022, according to a new FBI advisory released in collaboration with CISA and Australia’s cybersecurity agency.

Play was previously linked to around 300 attacks in its first year. The updated figure reflects the gang’s growing impact across North and South America, as well as Europe. The FBI called Play “one of the most active ransomware groups in 2024.”

The group is known for custom-compiling its ransomware for each attack, making detection difficult. Victims often receive unique email addresses ending in @gmx.de or @web.de for ransom negotiations, and in some cases, attackers have called help desks directly to pressure payment.

A key tactic involves exploiting vulnerabilities in SimpleHelp, a remote monitoring tool used by many U.S. organizations. One such flaw, CVE-2024-57727, put over 3,400 systems at risk earlier this year.

High-profile attacks attributed to Play include incidents in Dallas County, Oakland, and Lowell, Massachusetts, as well as a breach affecting the Swiss government’s IT provider. The group also targeted Microchip Technology and local governments in Latin America and Indiana.

Researchers at Palo Alto Networks previously found signs that Play may be collaborating with North Korean hackers. In some cases, North Korean actors accessed systems before Play operators deployed ransomware using the same compromised accounts.

The FBI’s updated alert aims to help organizations defend against Play’s evolving techniques and highlights the gang’s ongoing threat to both businesses and critical infrastructure.