This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. |
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint CSA to disseminate the Play ransomware group’s IOCs and TTPs identified through FBI investigations as recently as October 2023. |
Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors. |
In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023. |
The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. The Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions; however, victims are instructed to contact the threat actors via email. |
The FBI, CISA, and ASD’s ACSC encourage organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of ransomware incidents. Recommendations include requiring multi-factor authentication, maintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software, and firmware up to date. |