The Cybersecurity & Infrastructure Security Agency, along with the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued an updated advisory on Play ransomware, also known as Playcrypt.
This advisory highlights new tactics, techniques, and procedures used by the Play ransomware group and provides updated indicators of compromise (IOCs) to enhance threat detection.
Since June 2022, Playcrypt has targeted critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025. Recommended mitigations include:
- Implementing multifactor authentication/
- Maintaining offline data backups/
- Developing and testing a recovery plan.
- Keeping all operating systems, software, and firmware updated.
The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. Play ransomware actors employ a double extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions. Rather, victims are instructed to contact the threat actors via email.