The Play ransomware, a threat actor that emerged roughly a year and a half ago, has so far claimed some 300 victims, some of which are critical infrastructure organizations, a new joint advisory published by the FBI, CISA, and the Australian Signals Directorate’s Australian Cyber Security Centre has claimed.
“Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe,” the advisory reads. “As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.”
While Play ransomware does the same things as other operators – steals and encrypts sensitive data – it does have a few unique features, BleepingComputer reports. For example, it will not communicate with its victims via Tor, but rather via email. Furthermore, it uses a custom VSS Copying Tool, which helps grab files found in shadow volumes, even if they’re being used by applications at the time of encryption.
Among the existing known victims are the City of Oakland in California, the city of Antwerp in Belgium, and cloud computing giant Rackspace.
The joint advisory also urges organizations to keep their endpoints secure by following security best practices. Those include keeping all software and hardware up to date, and making sure all urgent security patches, which usually address known and abused vulnerabilities, are applied as soon as possible.
Furthermore, companies are urged to keep their passwords fresh and strong, and deploy multi-factor authentication (MFA) wherever possible.
Finally, companies are advised to educate their employees on the dangers of phishing and social engineering. After all, most cyberattacks start with a seemingly benign email, or an instant message on one of the most popular networks today (LinkedIn, X, and others), which deliver malware that grants attackers access to the system.