FBI: Play gang has attacked 300 organizations since 2022


Play, the ransomware gang behind quite a few large-scale attacks on major American cities, has allegedly launched more than 300 successful attacks against various organizations since June 2022, US and Australian cybersecurity officials say.

The Federal Bureau of Investigation (FBI) joined forces with the US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre to publish an advisory about the Play ransomware gang late on Monday.

The Play gang is thought to have debuted last year and has launched multiple attacks on targets since then. It was first spotted being deployed against South American government agencies around the middle of last year but pivoted months later to target entities in the US and Europe.

This year alone, the group attacked US cities like Oakland, California; Lowell, Massachusetts; and Dallas, Texas, causing widespread disruption and days of dealing with encrypted devices and troves of stolen citizen data.

The US and Australian agencies said in the advisory that Play has attacked “a wide range of businesses and critical infrastructure in North America, South America, and Europe” over the last year and a half.

The FBI said it was aware of about 300 “affected entities,” including those within critical infrastructure sectors, as of October.

The gang usually exploits stolen account credentials and public-facing applications, targeting vulnerabilities in popular products like the FortiOS vulnerabilities CVE-2018-13379 and CVE-2020-12812, as well as ProxyNotShell vulnerabilities in Microsoft tools.

“Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia,” the statement said.

Ransom notes do not include an initial ransom demand or payment instructions. Rather, victims are instructed to contact the threat actors via email, CISA added. Confidentiality seems to be important to the “closed group,” designed to “guarantee the secrecy of deals.”

Howard Goodman, technical director at Skybox Security, a US cybersecurity firm, said the disclosure meant that an innovative approach to cybersecurity was “more urgent than ever.”

“The concept of continuous exposure management emerges as a particularly promising solution in this context. It offers the potential for substantial enhancements in terms of performance, efficiency, and risk mitigation, making it a pivotal strategy in the modern cybersecurity landscape,” said Goodman.