![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![[DEALS] FileJump 2TB Cloud Storage: Lifetime Subscription (85% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From electrical engineering student to CTO with Hitesh Choudhary [Podcast #175]](https://cdn.hashnode.com/res/hashnode/image/upload/v1749158756824/3996a2ad-53e5-4a8f-ab97-2c77a6f66ba3.png?#)
![Apple Shares Official Trailer for 'The Wild Ones' [Video]](https://www.iclarified.com/images/news/97515/97515/97515-640.jpg)
Play Ransomware Hacked 900 Organizations, CISA Released TTPs & IOCs
Federal authorities have revealed that the notorious Play ransomware group has successfully breached approximately 900 organizations worldwide as of May 2025, marking a dramatic escalation in cybercriminal activity that has prompted an urgent security advisory from multiple government agencies. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s […] The post Play Ransomware Hacked 900 Organizations, CISA Released TTPs & IOCs appeared first on Cyber Security News.
Federal authorities have revealed that the notorious Play ransomware group has successfully breached approximately 900 organizations worldwide as of May 2025, marking a dramatic escalation in cybercriminal activity that has prompted an urgent security advisory from multiple government agencies.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre released an updated joint advisory on June 4, 2025, providing critical tactics, techniques, and procedures (TTPs) along with indicators of compromise (IOCs) to help organizations defend against this increasingly sophisticated threat.
The scale of Play’s impact represents a significant jump from previous estimates, with the ransomware group becoming one of the most active criminal organizations in 20241. Since its initial emergence in June 2022, Play ransomware, also known as Playcrypt, has targeted businesses and critical infrastructure across North America, South America, and Europe.
Evolving Attack Methods
What makes Play particularly dangerous is their constantly evolving methodology. The group recompiles their ransomware binary for every attack, creating unique file hashes that complicate detection by traditional antivirus and anti-malware systems.
This sophisticated approach extends to both Windows and ESXi environments, with specialized variants designed for different target systems.
Recent intelligence reveals that Play operators have expanded their initial access techniques to exploit vulnerabilities in SimpleHelp, a remote monitoring and management tool.
Multiple ransomware groups, including initial access brokers with ties to Play, exploited three vulnerabilities (CVE-2024-57727) in this tool to conduct remote code execution attacks against U.S.-based entities following the disclosure of the vulnerabilities on January 16, 2025.
Beyond technical sophistication, Play has introduced psychological manipulation into their operations. Each victim receives a unique communication email ending in @gmx.de or @web.de domains, while some targets are subjected to threatening phone calls designed to pressure payment.
These calls can be routed to various organizational phone numbers, including help desks and customer service representatives, creating additional stress and urgency.
The group employs a double extortion model, first exfiltrating sensitive data before encrypting systems and threatening to publish stolen information on their dark web leak site if ransom demands are not met. Notable recent victims include doughnut chain Krispy Kreme and semiconductor supplier Microchip Technologies.
Tool Name Description Usage Context AdFind Queries and retrieves Active Directory information Network discovery and reconnaissance Bloodhound Maps Active Directory relationships and attack paths Network enumeration and privilege escalation GMER Rootkit detection/removal tool repurposed to disable antivirus software Defense evasion by terminating security processes IOBit Legitimate anti-malware program used to disable endpoint protection Disabling antivirus solutions PsExec Microsoft Sysinternals tool for remote command execution Lateral movement and payload deployment PowerTool System optimization utility used to modify registry settings and delete logs Disabling security controls and erasing forensic evidence PowerShell Scripting framework leveraged for command execution and Microsoft Defender manipulation Bypassing security policies and automating attacks Cobalt Strike Penetration testing suite used for C2 communication and lateral movement Beaconing, payload staging, and privilege escalation Mimikatz Credential dumping tool to extract Kerberos tickets and plaintext passwords Privilege escalation and domain compromise WinPEAS Windows privilege escalation script for identifying misconfigurations Vulnerability discovery and lateral movement WinRAR Archive utility used to compress exfiltrated data into password-protected RAR files Data exfiltration and staging for double extortion WinSCP Secure file transfer client used to move stolen data to attacker-controlled servers Exfiltration via encrypted channels SystemBC Malware-as-a-Service (MaaS) tool providing SOCKS5 proxy and remote access capabilities Command and control (C2) infrastructure Grixba Custom .NET-based infostealer that enumerates network assets and security software Reconnaissance and anti-forensics Plink SSH tunnel creator for persistent access to compromised networks Maintaining backdoor access Process Hacker Task manager alternative used to analyze and terminate running processes Disabling security services and analyzing system activity Nekto/PriviCMD Privilege escalation toolkit exploiting Windows security flaws Gaining SYSTEM-level permissions Microsoft Nltest Native Windows tool for domain controller discovery Network mapping and domain enumeration
In response to this escalating threat, security agencies are urging organizations to implement several critical defenses. Priority actions include enabling multifactor authentication for all services, particularly webmail, VPN, and accounts accessing critical systems.
Organizations should also prioritize patching known exploited vulnerabilities and maintain offline, encrypted backup systems.
The advisory emphasizes the importance of regular vulnerability assessments and keeping all software, applications, and firmware updated to their latest versions. Network defenders are also encouraged to implement the provided IOCs and YARA rules to enhance threat detection capabilities.
This unprecedented scale of ransomware activity underscores the critical need for proactive cybersecurity measures as criminal organizations continue to refine their techniques and expand their global reach.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
The post Play Ransomware Hacked 900 Organizations, CISA Released TTPs & IOCs appeared first on Cyber Security News.
