Play Ransomware Has Breached 900 Organizations Worldwide, FBI Warns
The FBI, CISA, and the Australian Signals Directorate's Australian Cyber Security Centre have released an updated joint cybersecurity advisory warning that the Play ransomware group has compromised approximately 900 organizations as of May 2025. This represents a dramatic escalation from the roughly 300 victims identified when CISA and the FBI first issued their advisory in December 2023. The Play ransomware group is believed to be a closed, tightly-knit operation. The group employs a double extortion model: first exfiltrating sensitive data from victim networks, then encrypting systems and threatening to leak the stolen data if ransom demands are not met. Uniquely, the ransom notes do not include an initial payment demand or instructions; victims are instructed to contact the attackers directly via email. The updated advisory includes new indicators of compromise and tactics, techniques, and procedures to help organizations defend against the group. A notable characteristic of Play's operations is that the group recompiles its malware for every attack, making it significantly harder for security software to detect and block. The advisory recommends organizations implement multi-factor authentication, maintain offline backups, segment networks, and apply security patches promptly.
The tripling of Play ransomware victims in 18 months shows that even well-documented threat groups continue to thrive. Organizations in MENA should pay special attention — ransomware groups increasingly target regions with less mature cybersecurity postures.
How does Play ransomware differ from other ransomware groups?
Play uses a double extortion model but uniquely does not include payment amounts in ransom notes. The group also recompiles its malware for each attack, making detection harder, and is believed to be a small, closed group rather than a ransomware-as-a-service operation.