USD 
GBP 
CAD 
INR 
AUD 
SGD 
FBI Warning on Play Ransomware and What It Means for Businesses
In June 2025, the FBI, CISA, and the Australian Cyber Security Centre (ACSC) issued a joint cybersecurity advisory warning of a significant resurgence in Play ransomware attacks. This rare alert flagged over 900 confirmed victims across the public sector, healthcare, and SMBs – many of whom were targeted through deceptive email addresses like @web.de and @gmx.de.
Unlike typical advisories that provide generic mitigation steps, this one delivered detailed indicators of compromise (IoCs) and exposed advanced techniques used by Play operators. These included double extortion tactics, persistent access via command-line tools, and tailored social engineering campaigns, which sometimes extend to phone calls pressuring victims to pay.
The FBI’s investigation also points to possible links between Play ransomware and state-backed threat actors. Two groups in particular – Balloonfly and Andariel, a North Korean-linked threat group, are believed to be connected to Play’s operations. This raises serious concerns, as it blurs the line between traditional cybercrime and geopolitical espionage.
Ransomware attacks today are no longer quick-hit operations. They’re starting to look and behave more like advanced persistent threats – APTs, with long-term presence and deeper impact. This warning is a clear prompt for CISOs and security teams to reevaluate their threat models and prepare for a shifting landscape.
What Is Play Ransomware and How Does It Work?
Play ransomware is a threat group that targets organizations using a multi-extortion strategy, encrypting their data to increase pressure and maximize leverage. They use the encrypted data to threaten the victims of exposing it on TOR-based websites for extorting ransom. It first came into effect in June 2022 and is named after the .play extension that the ransomware added to encrypted files.
The attack strategy Play uses is to breach organizational data including FortiOS vulnerabilities CVE-2018-13379 and CVE-2020-12812 in addition to the exposed RDP servers. After gaining access to the target system, the ransomware distributes payloads across the compromised system using Group Policy Objects. They then gain access to the target system by executing malicious code via APIs and PowerShell in order to escalate privileges and maintain persistence with the web shells.
The ransomware group uses the intermittent encryption technique that encrypts a selective section of every compromised file, unlike traditional ransomware that encrypts an entire file that prevents the network from accessing those.
The calculated approach undertaken by Play to exploit the targets includes anti-analysis, custom encryption, and advanced evasion techniques such as bypassing the EDR protection and anti-debugging.
The Play ransomware uses evasion tactics with tools such as:
- AdFind for running Active Directory queries
- Grixba which functions as information stealer for enumerating network information. It can scan installed antivirus in the target system.
- WinPEAS for additional paths of privilege escalation.
Play Ransomware evades detection using applications of command and control (C2) such as SystemBC and Cobalt Strike that assist in file execution and lateral movement. In certain cases, the ransomware also uses PowerShell scripts for targeting Microsoft Defender as a part of a defense evasion strategy.
What Makes Play Ransomware So Dangerous?
Some of the tools, tactics, and procedures (TTPs) that make Play ransomware dangerous are as follows:
-
Cobalt Strike for Lateral Movement
The ransomware uses Cobalt Strike, a popular post-exploitation and red teaming tool for file execution and lateral movement. The tool enables attackers to establish command-and-control (C2) channels, escalate privileges, and deploy malicious payloads.
-
Privilege Escalation with winPEAS
Play leverages winPEAS for gathering information and executing commands about the vulnerability that exists within the target system. It abuses commands and script interpreters which the attackers automate for privilege escalation. This allows attackers to exploit the target system by identification of stored credentials, weak permissions, and identification of system misconfiguration.
-
ADFind Tool
The ransomware utilizes Adfind, a legitimate command-line tool. It is designed to query Active Directory to collect information about the operating system and target domain.
-
schtasks for Creating New scheduled tasks
Play creates new scheduled tasks with schtasks, which is a common technique for defense evasion. Attackers schedule a malicious PowerShell script that automatically runs payloads without the need for user interaction.
-
Leverage nltest Tool
The ransomware utilizes a built-in Windows command line tool nltest, which is used for enumerating domain controllers within a target network. Attackers run nltest tools that allow them to identify domain controllers consisting of crucial information for privilege escalation and lateral movement.
-
Gather User Credentials with Mimikatz Tool
Play uses the post-exploitation tool Mimikatz to dump user credentials from memory. Attackers extract NTLM hashes, Kerberos tickets, and plaintext passwords from compromised systems.
Why the FBI’s Warning Signals a Larger Trend
CISA and the FBI indicate a dramatic surge in ransomware attacks, signaling a broader pattern emerging across the cybersecurity landscape. Their alerts specifically call out the sophisticated techniques used by groups like Play, which often gain initial access through exposed VPNs or Remote Desktop Protocols (RDP).
Some of the commonly used tools by threat actors are PsExec, Mimikatz, and Cobalt Strike. FBI alerts from Q1 2025 show a steady rise in ransomware-as-a-service (RaaS) model, where attackers lease out payloads to affiliates. However, many of these affiliates have since grown more aggressive, engaging in deception, exposing their own identities, or falling out with operators over lost profits.
In several domestic incidents, the FBI has pursued efforts to prosecute the individuals behind these attacks. But the wider trend points to something deeper: a return to hands-on-keyboard attacks, often led by lone extortionists or well-structured groups, using standard command-line tools to infiltrate systems, steal data, and create operational disruptions. This also includes hacktivism and cyber espionage.
What makes alerts like this one especially important is their rare and targeted nature. The FBI doesn’t frequently call out individual ransomware groups. So, when it does, as in the case of Play, it signals the seriousness of the threat.
The FBI as a part of their advisory has also issued warnings against identity-based threats of cyber-attack where attackers impersonate or steal the user identity of victims to demand ransom.
With AI-powered threats and real-time identity manipulation on the rise, enterprises should view this as more than a tactical alert. Verifying communications, training staff, enforcing multi-factor authentication (MFA), and closely monitoring privileged access have become critical defense measures.
The FBI warns that failure to act on such alerts could leave organizations exposed not to data loss, long-term infiltration and intelligence compromise. Thus, ransomware is no longer just a financial threat; it’s becoming a tool for disruption.
Lessons for Enterprises: What This Means for Security Teams
Some of the key takeaways from the incident of Play ransomware that organizations and CISOs can consider as a part of their prevention and mitigation strategy are as follows:
Attack Surface Visibility
Understanding attack surface is important for organizations to identify weak spots in working components and systems. This includes being aware of devices, apps, and systems within the organization that are vulnerable to exploits. This can be done through time-based monitoring by security teams with tools to gather and analyze risks.
Least Privilege Access
The security initiative within the organization needs to consider the principle of least privilege access. It can help businesses reduce risks of data breach and unauthorized access by limiting user access to internal data.
Zero Trust Architecture
It is important to adopt a Zero trust security model that checks every request in the system for access irrespective of the sources of origin. This approach treats every access request – internal or external – as untrusted by default. Teams can check on all the incoming data which would enable them to monitor any malicious behavior and enforce stricter access controls.
Regular Audits of SSL Certificates
SSL certificates do more than just enable HTTPS. They prove your website’s identity and keep user data encrypted in transit. But if a certificate is misconfigured or expires without notice, it can create serious security gaps. That’s why regular audits matter. They help you catch expired or soon-to-expire certificates, ensure proper installation, and confirm that no public-facing service is left unsecured. It’s a simple habit that prevents avoidable breaches, supports compliance, and shows your users they can trust your site every time they visit.
Comparing Play to Other Active Ransomware Groups (Quick Snapshot)
| Group | Key Tactics | Targets | Notable Traits |
|---|---|---|---|
| Play | RDP, PsExec, extortion | Gov, SMBs | State-linked, stealthy |
| Scattered Spider | MFA fatigue, social engineering | Telco, retail | US-based, identity-driven |
| Cl0p | File Transfer tool exploits (MOVEit) | Finance, logistics | Mass extortion campaigns |
Final Thoughts
The FBI’s warning on Play ransomware isn’t something to skim past but a serious sign of how today’s threats are evolving. With over 900 confirmed victims and advanced techniques in Play, this isn’t just another ransomware campaign—it’s a shift in how attackers operate.
To stay ahead audit systems regularly, patch without delay, and prepare for the worst before it happens. Because when threats are faster, smarter, and more persistent, staying ready is the only way to stay secure.
