Advisoryseverity: High2023-12-18
Joint CISA/FBI/ASD advisory AA23-352A on Play ransomware
published by CISA
Actor
Closed-group ransomware operation (no public affiliate program) active since mid-2022, named for the '.play' extension appended to encrypted files. Heavy exploitation of FortiOS SSL-VPN flaws and Mic…
Summary
FBI, CISA, and the Australian Cyber Security Centre published joint advisory AA23-352A on the Play (Playcrypt) ransomware group, documenting initial-access via FortiOS (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange ProxyNotShell (CVE-2022-41040, CVE-2022-41082) bugs and the group's intermittent-encryption / double-extortion tradecraft. The advisory was updated on 4 June 2025 to note approximately 900 victims as of May 2025 and Play's exploitation of SimpleHelp CVE-2024-57727.
Tags
advisoryransomwareproxynotshellfortios
Primary source
cisa.govOther Play events
- 2025-06-04CISA documents Play ESXi variant and per-victim recompilation
- 2023-02-08City of Oakland ransomware attack claimed by Play
- 2023-01-23A10 Networks breached by Play ransomware affiliates
- 2022-12-23Arnold Clark customer data stolen in Play ransomware attack
- 2022-12-02Rackspace Hosted Exchange outage caused by Play ransomware