threatintel
actor tracker
Play
Advisoryseverity: High2023-12-18

Joint CISA/FBI/ASD advisory AA23-352A on Play ransomware

published by CISA
Actor
Play?? · UnknownRansomware

Closed-group ransomware operation (no public affiliate program) active since mid-2022, named for the '.play' extension appended to encrypted files. Heavy exploitation of FortiOS SSL-VPN flaws and Mic…

Summary

FBI, CISA, and the Australian Cyber Security Centre published joint advisory AA23-352A on the Play (Playcrypt) ransomware group, documenting initial-access via FortiOS (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange ProxyNotShell (CVE-2022-41040, CVE-2022-41082) bugs and the group's intermittent-encryption / double-extortion tradecraft. The advisory was updated on 4 June 2025 to note approximately 900 victims as of May 2025 and Play's exploitation of SimpleHelp CVE-2024-57727.

Tags

advisoryransomwareproxynotshellfortios

Primary source

cisa.gov

Other Play events