FBI: Play ransomware breached 300 victims, including critical orgs

The Federal Bureau of Investigation (FBI) says the Play ransomware gang has breached roughly 300 organizations worldwide between June 2022 and October 2023, some of them critical infrastructure entities.

The warning comes as a joint advisory issued in partnership with CISA and the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC).

"Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe," the three government agencies cautioned today.

"As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors."

The Play ransomware operation surfaced in June 2022, after the first victims reached out for help in BleepingComputer's forums.

In contrast to typical ransomware operations, Play ransomware affiliates opt for email communication as their negotiation channel and will not provide victims a Tor negotiations page link in ransom notes left on compromised systems.

Nevertheless, before deploying ransomware, they will steal sensitive documents from compromised systems, which they use to pressure victims into paying ransom demands under the threat of leaking the stolen data online.

The gang is also using a custom VSS Copying Tool helps steal files from shadow volume copies even when those files are in use by applications.

Recent high-profile Play ransomware victims include the City of Oakland in California, car retailer giant Arnold Clark, cloud computing company Rackspace, and the Belgian city of Antwerp.

In guidance issued today by the FBI, CISA, and ASD's ACSC, organizations are urged to prioritize addressing known vulnerabilities that have been exploited to reduce their likelihood of being used in Play ransomware attacks.

Network defenders are also strongly advised to implement multifactor authentication (MFA) across all services, focusing on webmail, VPN, and accounts with access to critical systems.

Additionally, regular updating and patching of software and applications to their most recent versions and routine vulnerability assessments should be part of all organizations' standard security practices.

The three government agencies also advise security teams to implement the mitigation measures shared with today's joint advisory.

"The FBI, CISA, and ASD’s ACSC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents," agencies said.

"This includes requiring multifactor authentication, maintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software, and firmware up to date."