StopRansomware Play Ransomware CISA
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppFree Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber IssueppSearchppppFree Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber IssueppNote This joint Cybersecurity Advisory is part of an ongoing StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors These StopRansomware advisories include recently and historically observed tactics techniques and procedures TTPs and indicators of compromise IOCs to help organizations protect against ransomware Visit stopransomwaregov to see all StopRansomware advisories and to learn more about other ransomware threats and nocost resourcesppNote Updates to this advisory originally published December 18 2023 includeppUpdate June 4 2025ppThe Federal Bureau of Investigation FBI Cybersecurity and Infrastructure Security Agency CISA and Australian Signals Directorates Australian Cyber Security Centre ASDs ACSC are releasing this joint advisory to disseminate the Play ransomware groups IOCs and TTPs identified through FBI investigations as recently as January 2025ppEnd UpdateppSince June 2022 the Play also known as Playcrypt ransomware group has impacted a wide range of businesses and critical infrastructure in North America South America and Europe Play ransomware was among the most active ransomware groups in 2024 ppOrganizations should take the following actions today to mitigate cyber threats from Play ransomwareppUpdate June 4 2025ppAs of May 2025 FBI was aware of approximately 900 affected entities allegedly exploited by the ransomware actorsppEnd UpdateppIn Australia the first Play ransomware incident was observed in April 2023 and most recently in November 2023ppThe Play ransomware group is presumed to be a closed group designed to guarantee the secrecy of deals according to a statement on the groups data leak website Play ransomware actors employ a double extortion model encrypting systems after exfiltrating data Ransom notes do not include an initial ransom demand or payment instructions rather victims are instructed to contact the threat actors via emailppUpdate June 4 2025ppEach victim receives a unique gmxde or webde email for communications A portion of victims are contacted via telephone and are threatened with the release of the stolen data and encouraged to pay the ransomppEnd UpdateppFBI CISA and ASDs ACSC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents This includes requiring multifactor authentication maintaining offline backups of data implementing a recovery plan and keeping all operating systems software and firmware up to dateppDownload a PDF version of this reportpp ppFor a downloadable copy of IOCs seepp ppFor a downloadable copy of historic IOCs seeppNote This advisory uses the MITRE ATTCK for Enterprise framework version 17 See the MITRE ATTCK Tactics and Techniques section of this advisory for a table of the threat actors activity mapped to MITRE ATTCK tactics and techniquesppThe Play ransomware group gains initial access to victim networks through the abuse of valid accounts likely purchased on the dark web T1078 and exploitation of publicfacing applications T1190 specifically through known FortiOS CVE201813379 and CVE202012812 and Microsoft Exchange ProxyNotShell CVE202241040 and CVE202241082 vulnerabilities Play ransomware actors have been observed using externalfacing services T1133 such as Remote Desktop Protocol RDP and Virtual Private Networks VPN for initial accessppUpdate June 4 2025ppMultiple ransomware groups including initial access brokers with ties to Play ransomware operators exploited CVE202457727 in remote monitoring and management RMM tool SimpleHelp T1190 to conduct remote code execution T1059001 at many USbased entities following the vulnerabilities disclosure on 16 January 2025ppEnd UpdateppPlay ransomware actors use tools like AdFind to run Active Directory queries TA0007 and Grixba1 an informationstealer to enumerate network information T1016 and scan for antivirus software T1518001 Actors also use tools like GMER IOBit and PowerTool to disable antivirus software T1562001 and remove log files T1070001 In some instances cybersecurity researchers have observed Play ransomware actors using PowerShell scripts to target Microsoft Defender2 ppPlay ransomware actors use command and control C2 applications including Cobalt Strike and SystemBC and tools like PsExec to assist with lateral movement and file execution Once established on a network the ransomware actors search for unsecured credentials T1552 and use the Mimikatz credential dumper to gain domain administrator access T1003 According to open source reporting3 to further enumerate vulnerabilities Play ransomware actors use Windows Privilege Escalation Awesome Scripts WinPEAS T1059 to search for additional privilege escalation paths Actors then distribute executables T1570 via Group Policy Objects T1484001ppUpdate June 4 2025ppThe Play ransomware binary is recompiled for every attack resulting in unique hashes for each deployment complicating antimalware and antivirus program detection of the ransomware T1027ppEnd UpdateppPlay ransomware actors often split compromised data into segments and use tools like WinRAR to compress files T1560001 into RAR format for exfiltration The actors then use WinSCP to transfer data T1048 from a compromised network to actorcontrolled accounts Following exfiltration files are encrypted T1486 with AESRSA hybrid encryption using intermittent encryption encrypting every other file portion of 0x100000 bytes4 Note System files are skipped during the encryption process A PLAY extension is added to file names once encrypted Within the Windows environment tools and a ransom note titled ReadMetxt are placed in CUsersPublicMusic ppUpdate June 4 2025ppThe Play ransomware group uses a double extortion model T1657 encrypting systems after exfiltrating data The ransom note directs victims to contact the Play ransomware group at an email address ending in gmxde or webde Ransom payments are paid in cryptocurrency to wallet addresses provided by Play actors If a victim refuses to pay the ransom demand the ransomware actors threaten to publish exfiltrated data to their leak site on the Tor network onion URL ppPlay ransomware targets regularly receive phone calls from threat actors encouraging payment and threatening the release of company information These calls can be routed to a variety of phone numbers within the organization including those discovered in open source such as help desks or customer service representativesppThe ESXi variant of Play ransomware invokes shell commands specific to the ESXi environment to conduct tasks including powering off all running Virtual Machines VMs listing machines names and setting the welcome message of the ESXi interface to the campaignspecific ransom note The ransomware binary supports command line arguments however if no command line arguments are passed the malware powers off all VMs and encrypts files related to VMs using randomly generated perfile keys The targeted file extensions include vmdk vmem vmsd vmsn vmx vmxf vswp vmss nvram vmtx and log The ransomware binary employs AES256 as its encryption algorithm The binary creates a copy of the ransom note titled PLAYReadmetxt in the root directory and in the path vmfsvolumes as well as the welcome message of the ESXi interface ppLike the Windows variant of Play ransomware the ESXi variant must be recompiled for each campaign Through command line flags the binary supports additional functionality likely used for development and debugging including exempting specific VMs from encryption targeting only one file for encryption or skipping the file extension check and attempting to encrypt all files Please see below for YARA rulesppEnd UpdateppTable 1 lists legitimate tools Play ransomware actors have repurposed for their operations The legitimate tools listed in this product are all publicly available Use of these tools and applications should not be attributed as malicious without analytical evidence to support they are used at the direction of or controlled by threat actorsppUpdate June 4 2025 ppSee Table 2 for Play ransomware IOCs obtained from FBI investigations as of January 2025ppSVCHostdllppBackdoorpp75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54App453257C3494ADDAFB39CB6815862403E827947A1E7737EB8168CD10522465DEBppC59F3C8D61D940B56436C14BC148C1FE98862921B8F7BAD97FBC96B31D71193CppGRIXBAppGtnetexeppCustom data gathering toolppPSexesvcexeppCustom Play psexesvcppHRswordexeppDisables endpoint protectionppUsysdiagexeppAssociated with HRsword changes settings of System certificatesppHiexeppAssociated with ransomwarepp7A42F96599DF8090CF89D6E3CE4316D24C6C00E499C8557A2E09D61C00C11986pp7DEA671BE77A2CA5772B86CF8831B02BFF0567BCE6A3AE023825AA40354F8ACAppSHA256ppHash of public ECDSA keyppSHA256 ppHash of public ED25519 Key for WinSCP ServerppSHA256 ppHash of public ED25519 Key WinSCP ServerppSHA256ppHash of public ED25519 Key WinSCP Server ppEnd UpdateppSee Table 3Table 11 for all referenced threat actor tactics and techniques in this advisoryppUpdate June 4 2025ppCommand and Scripting Interpreter PowerShellppPlay ransomware actors leveraged PowerShell commands to achieve RCE with a newly disclosed vulnerabilityppEnd Updatepp ppUpdate June 4 2025ppBelow is a copy of YARA rules related to the ESXi variantpprule PlayForESXipppp meta pp description Detects PLAY ransomware targeting ESXi Hypervisorspp date 202501pp filetype elfpp maltype ransomwarepp stringspp encryptstr encryptpp firststepstr First step is donepp vmfspathstr vmfsvolumespp PLAYextstr PLAY fullwordpp stoplistmodestr stop list modepp hostsinexclusionstr hosts in exclusionpp errorinstopliststr Error check stop list file exitpp completestr Completepp devurandompathstr devurandompp targetedextvmdk vmdk fullwordpp targetedextvmem vmem fullwordpp targetedextvmsd vmsd fullwordpp targetedextvmsn vmsn fullwordpp targetedextvmx vmx fullwordpp targetedextvmxf vmxf fullwordpp targetedextvswp vswp fullwordpp targetedextvmss vmss fullwordpp targetedextnvram nvram fullwordpp targetedextvmtx vmtx fullwordpp targetedextlog log fullwordpp vimcmdpoweroffvmsstr vimcmd vmsvcpoweroffpp getstorageshellcmdstr esxcli storage filesystem list storagepp getmachinesshellcmdstr vimcmd vmsvcgetallvms machinespp conditionpp all of themppppBelow are copies of YARA and Suricata rules related to Plays custom data gathering tool Grixbapprule GRXBApppp meta pp description Detects the infostealer GRXBA version 1130pp date 202501pp filetype pepp maltype infostealerpp stringspp GRBNEThex 47 52 42 5F 4E 45 54 pp GRBNETexehex 47 52 42 5F 4E 45 54 2E 65 78 65 00 pp CopyrightZabbix2023hex 43 6F 70 79 72 69 67 68 74 20 5A 61 62 62 69 78 20 32 30 32 33 00 pp GRBNThex 47 52 42 5F 4E 54 00 pp helpstring1hex 48 65 6C 70 54 65 78 74 2B 46 69 6C 65 2E 74 78 74 2F 31 32 37 2E 30 2E 30 2E 31 2D 31 32 37 2E 30 2E 30 2E 32 35 35 2F 31 32 37 2E 30 2E 30 2E 31 2D 32 34 pp helpstring2hex 48 65 6C 70 54 65 78 74 5E 44 6F 6D 61 69 6E 20 6E 61 6D 65 20 66 6F 72 20 55 73 65 72 73 20 61 6E 64 20 43 6F 6D 70 75 74 65 72 73 20 67 61 74 68 65 72 69 6E 67 2E 20 49 66 20 6E 6F 74 20 73 65 74 20 77 69 6C 6C 20 62 65 20 75 73 65 64 20 64 6F 6D 61 69 6E 20 6F 66 20 63 75 72 72 65 6E 74 20 75 73 65 72 pp helpstring3hex 48 65 6C 70 54 65 78 74 62 47 52 42 20 6D 6F 64 65 2E 20 73 63 61 6E 2F 73 63 61 6E 61 6C 6C 2F 63 6C 72 2E 20 73 63 61 6E 20 2D 20 6E 65 74 77 6F 72 6B 20 73 63 61 6E 6E 65 72 2E 20 73 63 61 6E 61 6C 6C 20 2D 20 67 72 61 62 20 61 6C 6C 2E 20 20 63 6C 72 20 2D 20 65 76 65 6E 74 20 6C 6F 67 73 20 63 6C 65 61 6E 65 72 pp helpstring4hex 48 65 6C 70 54 65 78 74 3A 49 6E 70 75 74 3A 20 66 2F 72 2F 73 2E 20 66 20 2D 20 66 69 6C 65 2C 20 72 20 2D 20 72 61 6E 67 65 2C 20 73 20 2D 20 73 75 62 6E 65 74 2C 20 64 20 2D 20 64 6F 6D 61 69 6E pp pp conditionpp all of themppppRule Suricataalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 65 00 62 00 43 00 61 00 63 00 68 00 65 00 flowtoserver flowbitssetGRXBAwebhistpath1detected sid1900002 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 52 00 6f 00 61 00 6d 00 69 00 6e 00 67 00 5c 00 4d 00 6f 00 6f 00 6e 00 63 00 68 00 69 00 6c 00 64 00 20 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 69 00 6f 00 6e 00 73 00 5c 00 50 00 61 00 6c 00 65 00 20 00 4d 00 6f 00 6f 00 6e 00 5c 00 50 00 72 00 6f 00 66 00 69 00 6c 00 65 00 73 00 flowtoserver flowbitssetGRXBAwebhistpath2detected sid1900003 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 52 00 6f 00 61 00 6d 00 69 00 6e 00 67 00 5c 00 43 00 6f 00 6d 00 6f 00 64 00 6f 00 5c 00 49 00 63 00 65 00 44 00 72 00 61 00 67 00 6f 00 6e 00 5c 00 50 00 72 00 6f 00 66 00 69 00 6c 00 65 00 73 00 flowtoserver flowbitssetGRXBAwebhistpath3detected sid1900004 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c 00 5c 00 54 00 65 00 6e 00 63 00 65 00 6e 00 74 00 5c 00 51 00 51 00 42 00 72 00 6f 00 77 00 73 00 65 00 72 00 5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61 00 flowtoserver flowbitssetGRXBAwebhistpath4detected sid1900005 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c 00 5c 00 56 00 69 00 76 00 61 00 6c 00 64 00 69 00 5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61 00 flowtoserver flowbitssetGRXBAwebhistpath5detected sid1900006 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c 00 5c 00 43 00 6f 00 63 00 43 00 6f 00 63 00 5c 00 42 00 72 00 6f 00 77 00 73 00 65 00 72 00 5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61 00 flowtoserver flowbitssetGRXBAwebhistpath6detected sid1900007 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c 00 5c 00 53 00 6f 00 67 00 6f 00 75 00 45 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 5c 00 57 00 65 00 62 00 6b 00 69 00 74 00 5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61 00 flowtoserver flowbitssetGRXBAwebhistpath7detected sid1900008 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 44 00 65 00 66 00 61 00 75 00 6c 00 74 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c 00 5c 00 56 00 69 00 76 00 61 00 6c 00 64 00 69 00 5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61 00 flowtoserver flowbitssetGRXBAwebhistpath8detected sid1900009 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 44 00 65 00 66 00 61 00 75 00 6c 00 74 00 20 00 55 00 73 00 65 00 72 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 52 00 6f 00 61 00 6d 00 69 00 6e 00 67 00 5c 00 4f 00 70 00 65 00 72 00 61 00 20 00 53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4f 00 70 00 65 00 72 00 61 00 20 00 53 00 74 00 61 00 62 00 6c 00 65 00 flowtoserver flowbitssetGRXBAwebhistpath9detected sid1900010 rev1ppalert smb any any any any msgGRIXBA web history scanning detected potential indicator of imminent PLAY Ransomware attack flowbitsissetGRXBAwebhistpath1detected flowbitsissetGRXBAwebhistpath2detected flowbitsissetGRXBAwebhistpath3detected flowbitsissetGRXBAwebhistpath4detected flowbitsissetGRXBAwebhistpath5detectedflowbitsissetGRXBAwebhistpath6detected flowbitsissetGRXBAwebhistpath7detected flowbitsissetGRXBAwebhistpath8detected flowbitsissetGRXBAwebhistpath9detected flowbitssetGRXBAhitfound classtypeattemptedrecon sid1900011 rev1ppalert smb any any any any noalert flowbitsissetGRXBAhitfound flowbitsunsetGRXBAwebhistpath1detectedflowbitsunsetGRXBAwebhistpath2detectedflowbitsunsetGRXBAwebhistpath3detectedflowbitsunsetGRXBAwebhistpath4detectedflowbitsunsetGRXBAwebhistpath5detectedflowbitsunsetGRXBAwebhistpath6detectedflowbitsunsetGRXBAwebhistpath7detectedflowbitsunsetGRXBAwebhistpath8detectedflowbitsunsetGRXBAwebhistpath9detected sid1900012 rev1ppEnd UpdateppFBI CISA and ASDs ACSC recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Play ransomware These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protectionsppThese mitigations apply to all critical infrastructure organizations and network defenders FBI CISA and ASDs ACSC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices to limit the impact of ransomware techniques such as threat actors leveraging backdoor vulnerabilities into remote software systems thus strengthening the security posture for their customersppFor more information on secure by design see CISAs Secure by Design webpage and joint guideppIn addition to applying mitigations FBI CISA and ASDs ACSC recommend exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory FBI CISA and ASDs ACSC recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppFBI CISA and ASDs ACSC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppFBI CISA and ASDs ACSC do not encourage paying a ransom as payment does not guarantee victim files will be recovered Furthermore payment may also embolden adversaries to target additional organizations encourage other criminal actors to engage in the distribution of ransomware andor fund illicit activities Regardless of whether you or your organization have decided to pay the ransom FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office FBIs Internet Crime Complaint Center IC3 or CISA via CISAs 247 Operations Center reportcisagov or 8882820870ppAustralian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASDs ACSC via 1300 CYBER1 1300 292 371 or by submitting a report to cybergovauppThe information in this report is being provided as is for informational purposes only CISA and FBI do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by CISA or FBIpp1 Threat Hunter Team Play Ransomware Group Using New Custom DataGathering Tools Symantec Enterprise Blogs Symantec April 19 2023 httpswwwsecuritycomthreatintelligenceplayransomwarevolumeshadowcopy pp2 Trend Micro Research Play Trend Micro July 21 2023 httpswwwtrendmicrocomvinfoussecuritynewsransomwarespotlightransomwarespotlightplay pp3 Trend Micro Research Play pp4 Aleksandar Milenkoski Crimeware Trends Ransomware Developers Turn to Intermittent Encryption to Evade Detection SentinelLabs September 8 2022 httpswwwsentinelonecomlabscrimewaretrendsransomwaredevelopersturntointermittentencryptiontoevadedetection pp5 See also Protect Yourself MultiFactor Authentication Cybergovaupp6 See also Patching Applications and Operating Systems Cybergovaupp7 See also Implementing Network Segmentation and Segregation Cybergovau pp pp pp pp ppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppFree Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber IssueppSearchppppFree Cyber ServicesSecure by design Secure Our WorldShields UpReport A Cyber IssueppNote This joint Cybersecurity Advisory is part of an ongoing StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors These StopRansomware advisories include recently and historically observed tactics techniques and procedures TTPs and indicators of compromise IOCs to help organizations protect against ransomware Visit stopransomwaregov to see all StopRansomware advisories and to learn more about other ransomware threats and nocost resourcesppNote Updates to this advisory originally published December 18 2023 includeppUpdate June 4 2025ppThe Federal Bureau of Investigation FBI Cybersecurity and Infrastructure Security Agency CISA and Australian Signals Directorates Australian Cyber Security Centre ASDs ACSC are releasing this joint advisory to disseminate the Play ransomware groups IOCs and TTPs identified through FBI investigations as recently as January 2025ppEnd UpdateppSince June 2022 the Play also known as Playcrypt ransomware group has impacted a wide range of businesses and critical infrastructure in North America South America and Europe Play ransomware was among the most active ransomware groups in 2024 ppOrganizations should take the following actions today to mitigate cyber threats from Play ransomwareppUpdate June 4 2025ppAs of May 2025 FBI was aware of approximately 900 affected entities allegedly exploited by the ransomware actorsppEnd UpdateppIn Australia the first Play ransomware incident was observed in April 2023 and most recently in November 2023ppThe Play ransomware group is presumed to be a closed group designed to guarantee the secrecy of deals according to a statement on the groups data leak website Play ransomware actors employ a double extortion model encrypting systems after exfiltrating data Ransom notes do not include an initial ransom demand or payment instructions rather victims are instructed to contact the threat actors via emailppUpdate June 4 2025ppEach victim receives a unique gmxde or webde email for communications A portion of victims are contacted via telephone and are threatened with the release of the stolen data and encouraged to pay the ransomppEnd UpdateppFBI CISA and ASDs ACSC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents This includes requiring multifactor authentication maintaining offline backups of data implementing a recovery plan and keeping all operating systems software and firmware up to dateppDownload a PDF version of this reportpp ppFor a downloadable copy of IOCs seepp ppFor a downloadable copy of historic IOCs seeppNote This advisory uses the MITRE ATTCK for Enterprise framework version 17 See the MITRE ATTCK Tactics and Techniques section of this advisory for a table of the threat actors activity mapped to MITRE ATTCK tactics and techniquesppThe Play ransomware group gains initial access to victim networks through the abuse of valid accounts likely purchased on the dark web T1078 and exploitation of publicfacing applications T1190 specifically through known FortiOS CVE201813379 and CVE202012812 and Microsoft Exchange ProxyNotShell CVE202241040 and CVE202241082 vulnerabilities Play ransomware actors have been observed using externalfacing services T1133 such as Remote Desktop Protocol RDP and Virtual Private Networks VPN for initial accessppUpdate June 4 2025ppMultiple ransomware groups including initial access brokers with ties to Play ransomware operators exploited CVE202457727 in remote monitoring and management RMM tool SimpleHelp T1190 to conduct remote code execution T1059001 at many USbased entities following the vulnerabilities disclosure on 16 January 2025ppEnd UpdateppPlay ransomware actors use tools like AdFind to run Active Directory queries TA0007 and Grixba1 an informationstealer to enumerate network information T1016 and scan for antivirus software T1518001 Actors also use tools like GMER IOBit and PowerTool to disable antivirus software T1562001 and remove log files T1070001 In some instances cybersecurity researchers have observed Play ransomware actors using PowerShell scripts to target Microsoft Defender2 ppPlay ransomware actors use command and control C2 applications including Cobalt Strike and SystemBC and tools like PsExec to assist with lateral movement and file execution Once established on a network the ransomware actors search for unsecured credentials T1552 and use the Mimikatz credential dumper to gain domain administrator access T1003 According to open source reporting3 to further enumerate vulnerabilities Play ransomware actors use Windows Privilege Escalation Awesome Scripts WinPEAS T1059 to search for additional privilege escalation paths Actors then distribute executables T1570 via Group Policy Objects T1484001ppUpdate June 4 2025ppThe Play ransomware binary is recompiled for every attack resulting in unique hashes for each deployment complicating antimalware and antivirus program detection of the ransomware T1027ppEnd UpdateppPlay ransomware actors often split compromised data into segments and use tools like WinRAR to compress files T1560001 into RAR format for exfiltration The actors then use WinSCP to transfer data T1048 from a compromised network to actorcontrolled accounts Following exfiltration files are encrypted T1486 with AESRSA hybrid encryption using intermittent encryption encrypting every other file portion of 0x100000 bytes4 Note System files are skipped during the encryption process A PLAY extension is added to file names once encrypted Within the Windows environment tools and a ransom note titled ReadMetxt are placed in CUsersPublicMusic ppUpdate June 4 2025ppThe Play ransomware group uses a double extortion model T1657 encrypting systems after exfiltrating data The ransom note directs victims to contact the Play ransomware group at an email address ending in gmxde or webde Ransom payments are paid in cryptocurrency to wallet addresses provided by Play actors If a victim refuses to pay the ransom demand the ransomware actors threaten to publish exfiltrated data to their leak site on the Tor network onion URL ppPlay ransomware targets regularly receive phone calls from threat actors encouraging payment and threatening the release of company information These calls can be routed to a variety of phone numbers within the organization including those discovered in open source such as help desks or customer service representativesppThe ESXi variant of Play ransomware invokes shell commands specific to the ESXi environment to conduct tasks including powering off all running Virtual Machines VMs listing machines names and setting the welcome message of the ESXi interface to the campaignspecific ransom note The ransomware binary supports command line arguments however if no command line arguments are passed the malware powers off all VMs and encrypts files related to VMs using randomly generated perfile keys The targeted file extensions include vmdk vmem vmsd vmsn vmx vmxf vswp vmss nvram vmtx and log The ransomware binary employs AES256 as its encryption algorithm The binary creates a copy of the ransom note titled PLAYReadmetxt in the root directory and in the path vmfsvolumes as well as the welcome message of the ESXi interface ppLike the Windows variant of Play ransomware the ESXi variant must be recompiled for each campaign Through command line flags the binary supports additional functionality likely used for development and debugging including exempting specific VMs from encryption targeting only one file for encryption or skipping the file extension check and attempting to encrypt all files Please see below for YARA rulesppEnd UpdateppTable 1 lists legitimate tools Play ransomware actors have repurposed for their operations The legitimate tools listed in this product are all publicly available Use of these tools and applications should not be attributed as malicious without analytical evidence to support they are used at the direction of or controlled by threat actorsppUpdate June 4 2025 ppSee Table 2 for Play ransomware IOCs obtained from FBI investigations as of January 2025ppSVCHostdllppBackdoorpp75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54App453257C3494ADDAFB39CB6815862403E827947A1E7737EB8168CD10522465DEBppC59F3C8D61D940B56436C14BC148C1FE98862921B8F7BAD97FBC96B31D71193CppGRIXBAppGtnetexeppCustom data gathering toolppPSexesvcexeppCustom Play psexesvcppHRswordexeppDisables endpoint protectionppUsysdiagexeppAssociated with HRsword changes settings of System certificatesppHiexeppAssociated with ransomwarepp7A42F96599DF8090CF89D6E3CE4316D24C6C00E499C8557A2E09D61C00C11986pp7DEA671BE77A2CA5772B86CF8831B02BFF0567BCE6A3AE023825AA40354F8ACAppSHA256ppHash of public ECDSA keyppSHA256 ppHash of public ED25519 Key for WinSCP ServerppSHA256 ppHash of public ED25519 Key WinSCP ServerppSHA256ppHash of public ED25519 Key WinSCP Server ppEnd UpdateppSee Table 3Table 11 for all referenced threat actor tactics and techniques in this advisoryppUpdate June 4 2025ppCommand and Scripting Interpreter PowerShellppPlay ransomware actors leveraged PowerShell commands to achieve RCE with a newly disclosed vulnerabilityppEnd Updatepp ppUpdate June 4 2025ppBelow is a copy of YARA rules related to the ESXi variantpprule PlayForESXipppp meta pp description Detects PLAY ransomware targeting ESXi Hypervisorspp date 202501pp filetype elfpp maltype ransomwarepp stringspp encryptstr encryptpp firststepstr First step is donepp vmfspathstr vmfsvolumespp PLAYextstr PLAY fullwordpp stoplistmodestr stop list modepp hostsinexclusionstr hosts in exclusionpp errorinstopliststr Error check stop list file exitpp completestr Completepp devurandompathstr devurandompp targetedextvmdk vmdk fullwordpp targetedextvmem vmem fullwordpp targetedextvmsd vmsd fullwordpp targetedextvmsn vmsn fullwordpp targetedextvmx vmx fullwordpp targetedextvmxf vmxf fullwordpp targetedextvswp vswp fullwordpp targetedextvmss vmss fullwordpp targetedextnvram nvram fullwordpp targetedextvmtx vmtx fullwordpp targetedextlog log fullwordpp vimcmdpoweroffvmsstr vimcmd vmsvcpoweroffpp getstorageshellcmdstr esxcli storage filesystem list storagepp getmachinesshellcmdstr vimcmd vmsvcgetallvms machinespp conditionpp all of themppppBelow are copies of YARA and Suricata rules related to Plays custom data gathering tool Grixbapprule GRXBApppp meta pp description Detects the infostealer GRXBA version 1130pp date 202501pp filetype pepp maltype infostealerpp stringspp GRBNEThex 47 52 42 5F 4E 45 54 pp GRBNETexehex 47 52 42 5F 4E 45 54 2E 65 78 65 00 pp CopyrightZabbix2023hex 43 6F 70 79 72 69 67 68 74 20 5A 61 62 62 69 78 20 32 30 32 33 00 pp GRBNThex 47 52 42 5F 4E 54 00 pp helpstring1hex 48 65 6C 70 54 65 78 74 2B 46 69 6C 65 2E 74 78 74 2F 31 32 37 2E 30 2E 30 2E 31 2D 31 32 37 2E 30 2E 30 2E 32 35 35 2F 31 32 37 2E 30 2E 30 2E 31 2D 32 34 pp helpstring2hex 48 65 6C 70 54 65 78 74 5E 44 6F 6D 61 69 6E 20 6E 61 6D 65 20 66 6F 72 20 55 73 65 72 73 20 61 6E 64 20 43 6F 6D 70 75 74 65 72 73 20 67 61 74 68 65 72 69 6E 67 2E 20 49 66 20 6E 6F 74 20 73 65 74 20 77 69 6C 6C 20 62 65 20 75 73 65 64 20 64 6F 6D 61 69 6E 20 6F 66 20 63 75 72 72 65 6E 74 20 75 73 65 72 pp helpstring3hex 48 65 6C 70 54 65 78 74 62 47 52 42 20 6D 6F 64 65 2E 20 73 63 61 6E 2F 73 63 61 6E 61 6C 6C 2F 63 6C 72 2E 20 73 63 61 6E 20 2D 20 6E 65 74 77 6F 72 6B 20 73 63 61 6E 6E 65 72 2E 20 73 63 61 6E 61 6C 6C 20 2D 20 67 72 61 62 20 61 6C 6C 2E 20 20 63 6C 72 20 2D 20 65 76 65 6E 74 20 6C 6F 67 73 20 63 6C 65 61 6E 65 72 pp helpstring4hex 48 65 6C 70 54 65 78 74 3A 49 6E 70 75 74 3A 20 66 2F 72 2F 73 2E 20 66 20 2D 20 66 69 6C 65 2C 20 72 20 2D 20 72 61 6E 67 65 2C 20 73 20 2D 20 73 75 62 6E 65 74 2C 20 64 20 2D 20 64 6F 6D 61 69 6E pp pp conditionpp all of themppppRule Suricataalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00 57 00 65 00 62 00 43 00 61 00 63 00 68 00 65 00 flowtoserver flowbitssetGRXBAwebhistpath1detected sid1900002 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 52 00 6f 00 61 00 6d 00 69 00 6e 00 67 00 5c 00 4d 00 6f 00 6f 00 6e 00 63 00 68 00 69 00 6c 00 64 00 20 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 69 00 6f 00 6e 00 73 00 5c 00 50 00 61 00 6c 00 65 00 20 00 4d 00 6f 00 6f 00 6e 00 5c 00 50 00 72 00 6f 00 66 00 69 00 6c 00 65 00 73 00 flowtoserver flowbitssetGRXBAwebhistpath2detected sid1900003 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 52 00 6f 00 61 00 6d 00 69 00 6e 00 67 00 5c 00 43 00 6f 00 6d 00 6f 00 64 00 6f 00 5c 00 49 00 63 00 65 00 44 00 72 00 61 00 67 00 6f 00 6e 00 5c 00 50 00 72 00 6f 00 66 00 69 00 6c 00 65 00 73 00 flowtoserver flowbitssetGRXBAwebhistpath3detected sid1900004 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c 00 5c 00 54 00 65 00 6e 00 63 00 65 00 6e 00 74 00 5c 00 51 00 51 00 42 00 72 00 6f 00 77 00 73 00 65 00 72 00 5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61 00 flowtoserver flowbitssetGRXBAwebhistpath4detected sid1900005 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c 00 5c 00 56 00 69 00 76 00 61 00 6c 00 64 00 69 00 5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61 00 flowtoserver flowbitssetGRXBAwebhistpath5detected sid1900006 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c 00 5c 00 43 00 6f 00 63 00 43 00 6f 00 63 00 5c 00 42 00 72 00 6f 00 77 00 73 00 65 00 72 00 5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61 00 flowtoserver flowbitssetGRXBAwebhistpath6detected sid1900007 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 41 00 6c 00 6c 00 20 00 55 00 73 00 65 00 72 00 73 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c 00 5c 00 53 00 6f 00 67 00 6f 00 75 00 45 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 5c 00 57 00 65 00 62 00 6b 00 69 00 74 00 5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61 00 flowtoserver flowbitssetGRXBAwebhistpath7detected sid1900008 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 44 00 65 00 66 00 61 00 75 00 6c 00 74 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 4c 00 6f 00 63 00 61 00 6c 00 5c 00 56 00 69 00 76 00 61 00 6c 00 64 00 69 00 5c 00 55 00 73 00 65 00 72 00 20 00 44 00 61 00 74 00 61 00 flowtoserver flowbitssetGRXBAwebhistpath8detected sid1900009 rev1ppalert smb any any any any noalert content55 00 73 00 65 00 72 00 73 00 5c 00 44 00 65 00 66 00 61 00 75 00 6c 00 74 00 20 00 55 00 73 00 65 00 72 00 5c 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5c 00 52 00 6f 00 61 00 6d 00 69 00 6e 00 67 00 5c 00 4f 00 70 00 65 00 72 00 61 00 20 00 53 00 6f 00 66 00 74 00 77 00 61 00 72 00 65 00 5c 00 4f 00 70 00 65 00 72 00 61 00 20 00 53 00 74 00 61 00 62 00 6c 00 65 00 flowtoserver flowbitssetGRXBAwebhistpath9detected sid1900010 rev1ppalert smb any any any any msgGRIXBA web history scanning detected potential indicator of imminent PLAY Ransomware attack flowbitsissetGRXBAwebhistpath1detected flowbitsissetGRXBAwebhistpath2detected flowbitsissetGRXBAwebhistpath3detected flowbitsissetGRXBAwebhistpath4detected flowbitsissetGRXBAwebhistpath5detectedflowbitsissetGRXBAwebhistpath6detected flowbitsissetGRXBAwebhistpath7detected flowbitsissetGRXBAwebhistpath8detected flowbitsissetGRXBAwebhistpath9detected flowbitssetGRXBAhitfound classtypeattemptedrecon sid1900011 rev1ppalert smb any any any any noalert flowbitsissetGRXBAhitfound flowbitsunsetGRXBAwebhistpath1detectedflowbitsunsetGRXBAwebhistpath2detectedflowbitsunsetGRXBAwebhistpath3detectedflowbitsunsetGRXBAwebhistpath4detectedflowbitsunsetGRXBAwebhistpath5detectedflowbitsunsetGRXBAwebhistpath6detectedflowbitsunsetGRXBAwebhistpath7detectedflowbitsunsetGRXBAwebhistpath8detectedflowbitsunsetGRXBAwebhistpath9detected sid1900012 rev1ppEnd UpdateppFBI CISA and ASDs ACSC recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Play ransomware These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protectionsppThese mitigations apply to all critical infrastructure organizations and network defenders FBI CISA and ASDs ACSC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices to limit the impact of ransomware techniques such as threat actors leveraging backdoor vulnerabilities into remote software systems thus strengthening the security posture for their customersppFor more information on secure by design see CISAs Secure by Design webpage and joint guideppIn addition to applying mitigations FBI CISA and ASDs ACSC recommend exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory FBI CISA and ASDs ACSC recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppFBI CISA and ASDs ACSC recommend continually testing your security program at scale and in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppFBI CISA and ASDs ACSC do not encourage paying a ransom as payment does not guarantee victim files will be recovered Furthermore payment may also embolden adversaries to target additional organizations encourage other criminal actors to engage in the distribution of ransomware andor fund illicit activities Regardless of whether you or your organization have decided to pay the ransom FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office FBIs Internet Crime Complaint Center IC3 or CISA via CISAs 247 Operations Center reportcisagov or 8882820870ppAustralian organizations that have been impacted or require assistance in regard to a ransomware incident can contact ASDs ACSC via 1300 CYBER1 1300 292 371 or by submitting a report to cybergovauppThe information in this report is being provided as is for informational purposes only CISA and FBI do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by CISA or FBIpp1 Threat Hunter Team Play Ransomware Group Using New Custom DataGathering Tools Symantec Enterprise Blogs Symantec April 19 2023 httpswwwsecuritycomthreatintelligenceplayransomwarevolumeshadowcopy pp2 Trend Micro Research Play Trend Micro July 21 2023 httpswwwtrendmicrocomvinfoussecuritynewsransomwarespotlightransomwarespotlightplay pp3 Trend Micro Research Play pp4 Aleksandar Milenkoski Crimeware Trends Ransomware Developers Turn to Intermittent Encryption to Evade Detection SentinelLabs September 8 2022 httpswwwsentinelonecomlabscrimewaretrendsransomwaredevelopersturntointermittentencryptiontoevadedetection pp5 See also Protect Yourself MultiFactor Authentication Cybergovaupp6 See also Patching Applications and Operating Systems Cybergovaupp7 See also Implementing Network Segmentation and Segregation Cybergovau pp pp pp pp ppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
