1. Forum
  2. FidoNet
  3. CONSPRCY

  • FBI warns Play ransomware

    From Mike Powell@1:2320/105 to All on Fri Jun 6 09:01:00 2025
    FBI warns Play ransomware hackers have hit nearly a thousand US firms

    Date:
    Thu, 05 Jun 2025 14:28:00 +0000

    Description:
    Play hackers have added phone calls to their extortion tactics, and are targeting more flaws.

    FULL STORY

    Play Ransomwares body count is almost hitting four digits, a new warning from top legal enforcement has revealed, urging businesses to stay on guard
    against attacks.

    In an updated security advisory, published by the FBI, CISA, and the
    Australian Signals Directorates Australian Cyber Security Centre (ASDs ACSC), it was said that Play and its affiliates exploited approximately 900
    entities.

    Play Ransomware, also known as Playcrypt, is an infamous ransomware operator. It is known for using the atypical triple-extortion method in which, besides encrypting and exfiltrating files, it also calls its victims on the phone to convince them to pay up.

    SimpleHelp flaws targeted

    The security agencies security advisory has been updated to reflect changes Play and its affiliates made in recent times. For example, it was said that
    the victims get a unique @gmx.de, or @web.de email address, through which theyre invited to communicate with the attackers.

    Furthermore, the group seems to have added new vulnerabilities to the ones
    they were already targeting. Besides FortiOS (CVE-2018-13379, and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell CVE-2022-41040 and CVE-2022-41082) bugs, they are now exploiting CVE-2024-57727 in remote monitoring and management (RMM) tool SimpleHelp, which theyre using for
    remote code execution (RCE) capabilities.

    This vulnerability was first spotted in mid-January 2025, and has been exploited since.

    To make things even worse, the agencies are saying that the Play ransomware binary is recompiled for every attack, which means it gets a new, unique
    hash, for each deployment. This complicates anti-malware and antivirus
    program detection.

    Play was first spotted around 2020, and in the past, was known for targeting Windows-powered devices, but in late July 2024, security researchers saw a Linux variant targeting VMWare ESXi environments.

    In a technical breakdown, Trend Micros Threat Hunting team said at the time that it was the first time Play was seen targeting ESXi environments, and it could be that the criminals are broadening their attacks across the Linux platform.

    Via The Register

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/fbi-warns-play-ransomware-hackers-have- hit-nearly-a-thousand-us-firms

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)