![[Weekly funding roundup May 31-June 6] VC inflow continues to remain stable](https://images.yourstory.com/cs/2/220356402d6d11e9aa979329348d4c3e/WeeklyFundingRoundupNewLogo1-1739546168054.jpg)
FBI warns Play ransomware hackers have hit nearly a thousand US firms
Play hackers have added phone calls to their extortion tactics, and are targeting more flaws.
- Play Ransomware has hit 900 companies so far, new FBI advisory claims
- The group is calling victims on the phone to try and force them to pay the ransom demand
- It also added new vulnerabilities to its arsenal
Play Ransomware’s “body count” is almost hitting four digits, a new warning from top legal enforcement has revealed, urging businesses to stay on guard against attacks.
In an updated security advisory, published by the FBI, CISA, and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), it was said that Play and its affiliates exploited “approximately 900 entities”.
Play Ransomware, also known as Playcrypt, is an infamous ransomware operator. It is known for using the atypical triple-extortion method in which, besides encrypting and exfiltrating files, it also calls its victims on the phone to convince them to pay up.
SimpleHelp flaws targeted
The security agencies’ security advisory has been updated to reflect changes Play and its affiliates made in recent times. For example, it was said that the victims get a unique @gmx.de, or @web.de email address, through which they’re invited to communicate with the attackers.
Furthermore, the group seems to have added new vulnerabilities to the ones they were already targeting. Besides FortiOS (CVE-2018-13379, and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell CVE-2022-41040 and CVE-2022-41082) bugs, they are now exploiting CVE-2024-57727 in remote monitoring and management (RMM) tool SimpleHelp, which they’re using for remote code execution (RCE) capabilities.
This vulnerability was first spotted in mid-January 2025, and has been exploited since.
To make things even worse, the agencies are saying that the Play ransomware binary is recompiled for every attack, which means it gets a new, unique hash, for each deployment. This complicates anti-malware and antivirus program detection.
Play was first spotted around 2020, and in the past, was known for targeting Windows-powered devices, but in late July 2024, security researchers saw a Linux variant targeting VMWare ESXi environments.
In a technical breakdown, Trend Micro’s Threat Hunting team said at the time that it was the first time Play was seen targeting ESXi environments, and it could be that the criminals are broadening their attacks across the Linux platform.
Via The Register
You might also like
- This dangerous new Linux malware is going after VMware systems with multiple extortion attempts
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
