Play ransomware attacks have hit roughly 900 organizations and recently involved the exploitation of SimpleHelp vulnerabilities.
June 5, 2025 By Ionut Arghire
The Play ransomware gang has made roughly 900 victims over the past three years, according to an updated advisory from the US and Australian governments.
Active since June 2022 and also known as Playcrypt, Play is believed to be a closed group, engaging in double-extortion tactics that include exfiltrating victims’ data and leveraging it for extortion, in addition to encrypting systems.
In December 2023, the US cybersecurity agency CISA, the FBI, and the Australian Cyber Security Centre (ACSC) released an advisory on the tactics, techniques, and procedures (TTPs) observed in Play ransomware attacks, saying the group had made roughly 300 victims by October 2023.
On Wednesday, the government agencies updated the advisory to add TTPs seen in fresh attacks, noting that the group had become one of the most active ransomware gangs in 2024.
