The FBI has confirmed that the Play ransomware gang has compromised approximately 900 organizations globally as of May 2025, a threefold increase from the 300 victims reported in October 20231. This surge highlights the group’s evolving tactics, including exploitation of Remote Monitoring and Management (RMM) tools and VMware ESXi environments. Critical infrastructure, government entities, and financial services remain primary targets, with notable attacks on Oakland, CA, and Toyota Financial Services2.
Key Tactics and Technical Details
The Play ransomware group employs a dynamic malware compilation strategy, recompiling payloads for each attack to evade signature-based detection1. Recent campaigns exploit Fortinet vulnerabilities (CVE-2018-13379) and RMM tools (CVE-2024-57726–57728) for initial access. An ESXi-specific variant targets VMware files (.vmdk, .vmx), encrypting them with AES-2562. Indicators of compromise (IOCs) include SHA-256 hashes for tools like HRsword.exe and the GRIXBA infostealer.
Notable incidents include the 2023 Oakland attack, where 600GB of sensitive government data was leaked, and the Toyota Financial Services breach, which resulted in an $8M ransom demand and data exposure on the Medusa dark web portal2.
Mitigation Strategies
The FBI and CISA recommend prioritizing patch management for known vulnerabilities, particularly Fortinet and VMware ESXi flaws1. Network segmentation and multi-factor authentication (MFA) are critical to limiting lateral movement. Organizations should maintain offline, immutable backups and monitor for IOCs like HRsword.exe.
“Ghost ransomware moves from initial access to encryption in hours—patch faster.” — Roger Grimes, KnowBe42
Relevance to Security Professionals
For threat hunters, the Play gang’s use of recompiled malware necessitates behavioral analysis over static signatures. Blue teams should focus on detecting anomalous RMM tool usage and ESXi file modifications. The FBI’s advisory provides actionable IOCs, including C2 IPs and malware hashes1.
Conclusion
The Play ransomware group’s rapid expansion underscores the need for proactive defense measures. Organizations must adopt layered security strategies, including timely patching and robust backup protocols. Future advisories may reveal additional TTPs as the group continues to innovate.
References
- CISA Advisory AA23-352A. (2023). Play Ransomware Tactics and IOCs.
- Recorded Future. (2025). Play Ransomware: 2025 Threat Landscape.
- FBI Press Release. (2021). Colonial Pipeline Ransomware Attack.
- Picus Security. (2024). Pioneer Kitten’s Role in Ransomware.
