Updated #StopRansomware Advisory Warns of Play Ransomware with Over 900 Victims

CISA, in collaboration with the FBI and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC), released an updated #StopRansomware advisory on June 4, 2025, detailing new tactics employed by the Play ransomware group. This advisory builds on a previous version from December 18, 2023, and reflects intelligence obtained through FBI investigations as recent as January 2025. The agencies confirm that, as of May 2025, Play ransomware actors have impacted approximately 900 entities, with victims spanning critical sectors across North America, South America, and Europe. CISA categorizes Play as one of the most active ransomware operations in 2024, noting their repeated use of email communications from domains like @gmx[.]de and @web[.]de to engage victims.

The advisory reinforces essential defensive recommendations: multifactor authentication (MFA), proper vulnerability management, and disaster recovery planning.The advisory reports that Play ransomware operators heavily exploit public-facing applications. Documented exploitation includes FortiOS flaws CVE-2018-13379 and CVE-2020-12812, Microsoft Exchange ProxyNotShell vulnerabilities CVE-2022-41040 and CVE-2022-41082, and more recently CVE-2024-57727, a path traversal issue in the SimpleHelp remote access platform. These methods are often paired with the use of valid credentials and services like VPN and RDP. Intelligence on tactics for discovery, defense evasion, lateral movement, and execution did not receive any updates. Once access is secured, actors begin the discovery process using enumeration tools—both native Windows tools like "nltest" and external tools such as AdFind, Bloodhound, and Process Hacker. Techniques to evade defenses have included PowerShell scripts used to impair system protections such as Microsoft Defender. Additional tools such as GMER, IOBit, and PowerTool are deployed to disable security monitoring and clear event logs.

Lateral movement is conducted using tools such as PsExec, SystemBC, and Cobalt Strike, while credentials are harvested using Mimikatz. Payload deployment is often coordinated via Group Policy Objects. Play ransomware actors also employ Plink to establish SSH tunnels, maintaining persistence across the compromised network. Data exfiltration begins with splitting files and compressing them into ".RAR" archives using WinRAR, followed by outbound transfer via WinSCP. Once data is stolen, encryption is executed using AES-RSA hybrid encryption with intermittent logic, skipping system files and appending a “.PLAY” extension. Ransom notes are dropped as ReadMe[.]txt in public directories. CISA notes that ransom-related phone calls are made to various business lines, pressuring victims into compliance by threatening to leak exfiltrated data. "Play ransomware targets regularly receive phone calls from threat actors encouraging payment and threatening the release of company information. These calls can be routed to a variety of phone numbers within the organization, including those discovered in open source, such as help desks or customer service representatives."

In campaigns targeting ESXi systems, Play ransomware uses tailored shell commands to halt virtual machines and encrypt associated file types such as ".vmdk", ".vmem", and ".vmx". The ESXi variant employs AES-256 encryption and inserts ransom messages in root directories and system messages. Each binary is uniquely recompiled per incident to evade hash-based detection. CISA emphasizes that the tools abused by Play ransomware actors are publicly available and legitimate, and that use of these tools should be evaluated in the full context of activity.