Reportseverity: Medium2025-06-04

CISA documents Play ESXi variant and per-victim recompilation

published by CISA

Actor

Play?? · UnknownRansomware

Closed-group ransomware operation (no public affiliate program) active since mid-2022, named for the '.play' extension appended to encrypted files. Heavy exploitation of FortiOS SSL-VPN flaws and Mic…

Summary

The June 2025 update to AA23-352A formally documented Play's ESXi variant, which powers off virtual machines and encrypts VM-related files (.vmdk, .vmem, .vmsn, .vmx, .nvram, etc.) with AES-256, and confirmed that the Windows binary is recompiled for every attack to defeat hash-based detection. Each victim now receives a unique @gmx.de or @web.de contact address.

Primary source

ic3.gov

Other Play events

2023-12-18Joint CISA/FBI/ASD advisory AA23-352A on Play ransomware
2023-02-08City of Oakland ransomware attack claimed by Play
2023-01-23A10 Networks breached by Play ransomware affiliates
2022-12-23Arnold Clark customer data stolen in Play ransomware attack
2022-12-02Rackspace Hosted Exchange outage caused by Play ransomware

Summary

Tags

Primary source

Other Play events