Federal authorities have confirmed that the Play ransomware group has successfully infiltrated approximately 900 organizations worldwide since the cybercriminal operation began in June 2022, marking a dramatic escalation in the threat’s scope and impact.
The cybercriminal enterprise, also referred to as PlayCrypt, has emerged as one of the most active ransomware gangs in 2024, targeting critical infrastructure providers across North America, South America, and Europe.
The PlayCrypt ransomware operation has become a dominant cyber threat targeting critical infrastructure across three continents in 2024.
The Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Australian Cyber Security Centre issued updated guidance on June 4, 2025, revising their original December 2023 warning that reported approximately 300 victims by October 2023. This represents a tripling of confirmed breaches within seven months, demonstrating the group’s accelerating operational tempo.
Play ransomware actors employ a sophisticated double extortion model, encrypting organizational systems after exfiltrating sensitive data. Unlike traditional ransomware operations, Play’s ransom notes deliberately omit initial payment demands or specific instructions, instead directing victims to contact threat actors through unique @gmx.de or @web.de email addresses for individual negotiations.
Some victims receive telephone calls with explicit threats to release stolen information.
Since mid-January, Play operatives and affiliated initial access brokers have aggressively targeted vulnerabilities in the SimpleHelp remote support tool. The attackers exploit three specific security flaws: CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726.
CVE-2024-57727 represents a particularly dangerous path traversal vulnerability, enabling unauthenticated attackers to download arbitrary files from compromised systems. These vulnerabilities can be chained together, allowing cybercriminals to raise privileges to administrator level and execute malicious code remotely.
The group first appeared in Australia during April 2023, with continued targeting of Australian organizations through November 2023. Play ransomware has previously been linked to attacks against ConnectWise ScreenConnect and Rackspace, demonstrating their capacity to breach established technology providers.
Play operates as a presumed closed group designed to “guarantee the secrecy of deals,” suggesting a selective membership model that prioritizes operational security.
Federal authorities highlight that organizations must regularly patch software applications, maintain updated systems, and implement thorough cybersecurity protocols to mitigate the evolving threat posed by this prolific ransomware operation.
