Ransomware Rampage: Play Group Strikes 900 Organizations in Cybercrime Spree

Play ransomware hit 900 organizations since 2022, proving they’re the overachievers of cybercrime. With a knack for crashing parties like the City of Oakland and Rackspace, they make unwanted guests look charming. Their secret? A double extortion model with a side of cryptocurrency demands. Watch out, they might just RSVP to your next digital event!

3P
Published: June 6, 2025 7:58 amAdded: June 6, 2025 at 1:11 amAssembled by: The Editor
Pro Dashboard

Hot Take:

When it comes to ransomware, it’s clear there’s no “Play” in Play ransomware—unless, of course, you count the game of “Catch Me If You Can” that they’re playing with cybersecurity agencies across the globe. It seems the only games these hackers are interested in involve high-stakes extortion and a little bit of virtual hide-and-seek. But remember, Play ransomware, it’s all fun and games until someone loses a server!

Key Points:

  • Play ransomware has targeted approximately 900 organizations since June 2022.
  • The group follows a double extortion model, demanding cryptocurrency payments.
  • Play ransomware exploits vulnerabilities in FortiOS, Microsoft Exchange, and VPNs.
  • Recent attacks use a new SimpleHelp vulnerability to execute malicious code.
  • The group employs various tools to disable security and steal credentials.

Ransomware: 900 And Counting

The notorious Play ransomware group has been busy, hitting nearly 900 organizations since they first strutted onto the scene in mid-2022. Talk about a prolific career—these cybercriminals have been working harder than a caffeinated beaver at a lumber mill. Notable victims include the City of Oakland, Rackspace, and Royal Dirkzwager, proving that no industry is safe from their nefarious reach. It’s a bit like playing darts blindfolded, except they’re hitting bullseyes with alarming accuracy.

Double Trouble: The Extortion Model

Play ransomware isn’t just about encrypting files and holding them hostage. No, these cyber baddies have added another layer to their extortion game. They threaten to publish stolen data if their cryptocurrency demands aren’t met, putting organizations between a rock and a hard drive. Victims get a friendly note instructing them to contact the group via email addresses that sound like a bad Geocities page from the ’90s (@gmx[.]de or @web[.]de). It’s like finding out your kidnapper moonlights as a low-budget tech support agent.

Exploiting Vulnerabilities: It’s a Hack-eat-Hack World

In their quest for global domination (or at least a really hefty Bitcoin wallet), the Play ransomware group has become adept at exploiting vulnerabilities. Known flaws in FortiOS, Microsoft Exchange, and external-facing services like RDP and VPNs are their playgrounds. The latest twist in their saga involves exploiting a new SimpleHelp vulnerability to execute malicious code. It’s like they’re taking a cooking class in cyber mischief, constantly adding new recipes to their digital cookbook of chaos.

Tools of the Trade: Digital Swiss Army Knives

The Play ransomware actors are like digital Swiss Army knives, equipped with every tool imaginable to wreak havoc. From AdFind and Grixba for network reconnaissance to GMER and IOBit for disabling antivirus defenses, they’re armed to the teeth with tech-savvy trickery. They deploy PowerShell scripts and rely on Cobalt Strike, SystemBC, and PsExec for lateral movement, making them a veritable one-stop-shop for all your cybercrime needs. If you need credentials stolen or malware spread, they’re your go-to guys (but maybe don’t put that on your resume).

ESXi Variant: The Plot Thickens

Just when you thought it couldn’t get any worse, Play ransomware introduces an ESXi variant that targets virtual machines. This variant goes full Terminator on VMs, shutting them down and encrypting their files with randomly generated keys. Each binary is recompiled for every campaign, which is like giving each attack its own custom-made villain’s cape. The report even hints at some added functionality through command line flags, suggesting they’re as dedicated to their craft as an Oscar-winning actor prepping for a role. It’s like the Marvel Cinematic Universe, but with more zeros and ones.

So, dear readers, as you navigate the treacherous waters of the digital world, remember that while Play ransomware is playing hardball, being informed and prepared is your best defense. After all, when it comes to cybersecurity, knowledge isn’t just power—it’s the ultimate superhero cape. Stay safe out there, and don’t let the cyber baddies get you down!

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?