The Play ransomware gang has now attacked more than 900 organizations worldwide since it first emerged back in the year 2022. This makes it one of the most threatening cybercrime groups that is currently active, according to new data from the FBI. On Wednesday, the FBI published an important update to a 2023 advisory that had initially reported just 300 total attacks. In collaboration with CISA and Australian partners, the FBI said the figure has now grown to approximately 900 affected entities. The updated security advisory includes newly discovered tactics and other important identifiers that the FBI has found through its multiple investigations. The agency also previously stated Play was among the most active ransomware groups during all of 2024, highlighting its significant global threat.
As part of their extortion tactics, each victim organization receives a unique German email address for all subsequent private communications with them. A certain portion of these victims are also directly contacted by telephone and are threatened with the imminent release of their stolen data. Law enforcement officials have stated that initial access brokers with ties to Play operators continue to exploit multiple known security vulnerabilities. This includes CVE-2024-57727 in the remote monitoring and management tool SimpleHelp, which is actively used by many of Play’s U.S. victims. The advisory also notes that Play’s operators uniquely recompile their ransomware for every single attack, making its detection by defenders extremely difficult.
The Play ransomware gang initially caused widespread public outrage over dozens of its high-profile attacks that had crippling operational impacts. These specific attacks left cities like Oakland, California, and Lowell, Massachusetts, scrambling for many days to deal with their encrypted devices. Dallas County and the government of Switzerland also suffered from attacks that resulted in significant troves of sensitive stolen citizen data. When the Play group first emerged in mid-2022, it primarily targeted various government entities that were located throughout Latin America. However, it very quickly shifted its main focus to United States entities, including the semiconductor manufacturer Microchip Technology and an Indiana county government.
In October, Palo Alto Networks’ Unit42 security team warned of a new concerning development involving the ransomware group’s known operations. They reported that sophisticated hackers affiliated with North Korea’s Reconnaissance General Bureau appeared to be collaborating to some extent with Play actors. Their detailed investigation into these various incidents revealed the North Korean actors had performed the initial difficult work of gaining system access. The same exact compromised user account was then subsequently used by a completely different hacker who then deployed the Play ransomware payload. This complex collaboration demonstrates a specialized, multi-stage attack methodology involving different threat actor groups working closely together to achieve their goals.
Reference:
