FBI: Play ransomware group breached 900 organizations worldwide

A new federal advisory reveals that the Play ransomware gang has tripled its known victim count since late 2023, affecting hundreds of entities across three continents.

What happened

The FBI has disclosed that the Play ransomware group, also known as Playcrypt, has breached approximately 900 organizations as of May 2025, up from the 300 reported in October 2023. The updated figures come via a joint advisory issued alongside the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre.

Active since mid-2022, the Play ransomware group has targeted both private businesses and infrastructure in North America, South America, and Europe. The group ranked among the most active ransomware operators in 2024.

Going deeper

Play ransomware affiliates rely on custom malware in each attack, making detection difficult. They often steal sensitive data before encrypting systems and pressure victims into paying ransoms by threatening to publish the data on their dark website. Unlike many ransomware groups, Play communicates with victims via email rather than Tor-based negotiation portals.

Recent campaigns have also included direct phone threats to victims, adding pressure during negotiations. Since early 2025, attackers linked to Play have been exploiting vulnerabilities in remote monitoring and management tools (specifically CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728), including by using Sliver beacons to maintain access to compromised systems.

The ransomware gang also employs a proprietary VSS Copying Tool to extract files even from shadow copies used by other applications.

What was said

The FBI’s advisory discusses the group’s adaptability and technical sophistication. Agencies recommend immediate actions to harden defenses, including patching vulnerabilities, enforcing multifactor authentication (particularly for VPNs and administrative systems), and ensuring regular offline backups.

High-profile Play victims have included Rackspace, the City of Oakland, Dallas County, Krispy Kreme, the Belgian city of Antwerp, and Microchip Technology.

FAQs

What makes Play ransomware harder to detect than others?

Play retools its malware for each attack, avoiding signature-based detection. It also uses a custom shadow copy tool to bypass traditional file protections.

How do access brokers contribute to ransomware operations?

Access brokers specialize in infiltrating networks and selling or sharing that access with ransomware groups like Play, reducing the need for direct system compromise.

Why does Play ransomware avoid using Tor negotiation sites?

Unlike other groups, Play uses email for negotiations, which may allow them more direct control and lower operational complexity while evading some monitoring systems.

What are Silver beacons, and why are they significant?

Sliver is an open-source post-exploitation tool used for persistence. Beacons allow attackers to maintain remote control, often preparing for future ransomware deployment.

What is the recommended first step if a system is compromised by ransomware?

Disconnect the system from the network immediately, preserve forensic evidence, and contact cybersecurity professionals or federal authorities before paying any ransom.