The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI) and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), has unveiled a comprehensive advisory detailing the Tactics, Techniques, and Procedures (TTPs) along with Indicators of Compromise (IoCs) associated with the infamous Play ransomware group.
As of May 2025, the FBI has reported that around 900 entities have been targeted by these cybercriminals, highlighting the extensive reach and impact of this ransomware variant across North America, South America, and Europe since its inception in June 2022.
Also known as Playcrypt, this ransomware group has emerged as one of the most active threats in 2024, employing a sophisticated double extortion model that targets a diverse array of businesses and critical infrastructure.
Over 900 Entities Affected by Sophisticated Double Extortion Model
The advisory, updated on June 4, 2025, outlines the methods by which Play ransomware actors gain initial access. They exploit vulnerabilities in public-facing applications, including FortiOS (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange (ProxyNotShell vulnerabilities CVE-2022-41040 and CVE-2022-41082), while also taking advantage of valid accounts likely obtained from dark web markets.
Utilizing external-facing services such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN), the group has recently been reported to exploit vulnerabilities in the SimpleHelp remote monitoring and management tool (CVE-2024-57727) to execute remote code.
Once they breach a system, the group employs tools like AdFind for Active Directory queries and Grixba, an information-stealer, to enumerate networks. They disable antivirus protections using tools such as GMER and IOBit, facilitating their lateral movement through command and control applications like Cobalt Strike and SystemBC. Mimikatz is utilized for credential dumping, allowing them to gain domain administrator access.
A distinctive feature of their operations is the recompilation of the ransomware binary for each attack, resulting in unique hashes that evade conventional anti-malware detection, thereby complicating defense strategies.
The impact of Play ransomware is magnified by its double extortion strategy, which involves encrypting systems after data exfiltration and demanding cryptocurrency ransoms through unique email addresses, such as those ending in @gmx.de or @web.de. Organizations that do not comply face threats of data leaks on the group’s Tor network site, often accompanied by direct phone calls to pressure victims into payment.
Additionally, the group’s ESXi variant specifically targets virtual environments, encrypting files with extensions like .vmdk and .vmx using AES-256 encryption while shutting down virtual machines.
The advisory emphasizes the importance of immediate mitigation measures, including the implementation of multifactor authentication, regular software patching, network segmentation, and the maintenance of offline encrypted backups to limit the spread and impact of the ransomware.
Organizations are also encouraged to validate their security controls against the techniques outlined in the MITRE ATT&CK framework to bolster defenses against this evolving threat.
Indicators of Compromise (IoCs)
| Hash (SHA-256) | Description |
|---|---|
| 47B7B2DD88959CD7224A5542AE8D5BCE928BFC986BF0D0321532A7515C244A1E | SVCHost.dll (Backdoor) |
| 75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54A | Backdoor |
| 1409E010675BF4A40DB0A845B60DB3AAE5B302834E80ADEEC884AEBC55ECCBF7 | PSexesvc.exe (Custom Play “psexesvc”) |
| 0E408AED1ACF902A9F97ABF71CF0DD354024109C5D52A79054C421BE35D93549 | HRsword.exe (Disables endpoint protection) |
| 6DE8DD5757F9A3AC5E2AC28E8A77682D7A29BE25C106F785A061DCF582A20DC6 | Hi.exe (Associated with ransomware) |
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
