Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

Double-Extortion Play Ransomware Strikes 300 Organizations Worldwide

Joint Cybersecurity Advisory on Play Ransomware: Watch Out

Executive Summary

Recently, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released a joint Cybersecurity Advisory regarding the Play ransomware.

The Play ransomware, which utilizes a double-extortion model, has affected approximately 300 entities worldwide since 2022.

To prevent the Play ransomware, CISA recommends taking the following actions today:

  • Give priority to addressing known exploited vulnerabilities.
  • Enable multifactor authentication (MFA) for all services, especially for webmail, VPN, and accounts that have access to critical systems.
  • Regularly update and patch software and applications.

For more information, please refer to the details below.

About Play Ransomware

Also known as Balloonfly and PlayCrypt, Play ransomware emerged in 2022. It is malicious software that encrypts data and demands ransoms for decryption. Play ransomware gets its name from the behaviour of adding the extension “.play” to encrypted files. The ransom note typically contains the single word “PLAY” and the email address of the ransomware group.

Instead of using phishing emails as initial infection vectors, the threat actors behind the ransomware are increasingly exploiting vulnerabilities. They have targeted security flaws in Microsoft Exchange servers (CVE-2022-41040 and CVE-2022-41082) and Fortinet appliances (CVE-2018-13379 and CVE-2020-12812). They utilise a combination of public and customised tools.

Play ransomware has impacted various businesses and critical infrastructure organisations worldwide. It follows a double-extortion model by encrypting systems after exfiltrating data.

Furthermore, Play is evolving into a Ransomware-as-a-Service (RaaS) operation available to other threat actors.

Statistics indicate that Play ransomware targeted nearly 40 victims in November 2023 alone, ranking behind peers like LockBit and BlackCat (also known as ALPHV and Noberus).

CISA Recommendations

In response to the evolving nature of Play ransomware, CISA recommends the following mitigations:

  • Implement a recovery plan.
  • Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards for developing and managing password policies.
  • Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
  • Keep all operating systems, software, and firmware up to date.
  • Segment networks to prevent the spread of ransomware.
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
  • Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems.
  • Install, regularly update, and enable antivirus software on all hosts for real-time detection.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  • Disable unused ports.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Implement time-based access for accounts set at the admin level and higher.
  • Disable command-line and scripting activities and permissions.
  • Maintain offline backups of data and regularly maintain backup and restoration.
  • Ensure backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
Closing Comments

The ransomware landscape is constantly evolving, as shown by recent developments. For instance, the BlackCat ransomware has quickly resurfaced following a recent law enforcement operation.

Nevertheless, ransomware will remain a significant challenge for organisations. It is crucial for organisations to remain vigilant, implement protection measures, and prepare for attacks.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.

Update Required Flash plugin