Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
American and Australian cyber authorities update advisory outlining prominent ransomware operations’ tactics, techniques, and procedures.
In late 2023, the US Critical Infrastructure and Security Agency (CISA) and FBI, alongside the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), released a joint advisory outlining how the Play ransomware gang operates.
At the time, it was a comprehensive round-up of how the gang operated, the tools and techniques it used, and what network defenders needed to be on the lookout for.
However, comprehensive or not, nothing remains static in cyber security, and more has emerged about the Play operation in the last six months. The three authoring agencies recently released an updated advisory, so here’s what we’ve learnt since initial publication.
What’s new?
You can read more about the initial advisory here (and we recommend you do), but here, we’ll just focus on what’s been learnt since then, in some cases, in the course of investigations up to January 2025.
Since first observed, and up to date as of May 2025, Play ransomware has impacted about 900 organisations around the world.
We also know a little bit more about how the gang makes initial contact with its victims.
“Each victim receives a unique @gmx.de or @web[.]de email for communications,” a 4 June update within the advisory said.
“A portion of victims are contacted via telephone and are threatened with the release of the stolen data and encouraged to pay the ransom.”
Play has also been observed, alongside other actors and access brokers, taking advantage of a vulnerability in the remote management tool SimpleHelp. CVE-2024-57727 was disclosed in January 2025 and has allowed many actors to achieve remote code execution across multiple US entities.
The hackers also go through the trouble of recompiling their ransomware binary after every attack in order to provide a unique hash for each network incursion, making it harder for security software to detect any malicious activity. We also know that Play has an ESXi variant of its malware.
“The ESXi variant of Play ransomware invokes shell commands specific to the ESXi environment to conduct tasks, including powering off all running virtual machines (VMs), listing machine names, and setting the welcome message of the ESXi interface to the campaign-specific ransom note,” the advisory said.
“The ransomware binary supports command line arguments; however, if no command line arguments are passed, the malware powers off all VMs and encrypts files related to VMs using randomly generated per-file keys.”
This variant is also recompiled following each attack.
You can read the full updated advisory here for a full list of updated Indicators of Compromise and YARA rules.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
