Play ransomware has intensified its campaign of digital destruction across three continents, with federal authorities confirming the cybercriminal organization reached approximately 900 victims by May 2025, representing a threefold increase from the 300 cases documented in October 2023.
The cyberthreat group, also referred to as Playcrypt and active since June 2022, has emerged as one of the most prolific ransomware operations targeting businesses and critical infrastructure across North America, South America, and Europe. Federal investigators classify the organization as a closed group designed to “guarantee the secrecy of deals,” contributing to its sustained operational efficacy.
Play ransomware employs a sophisticated double-extortion methodology, encrypting victim systems after exfiltrating sensitive data for additional advantage. Unlike conventional ransomware operations, their ransom notes intentionally omit initial payment demands or precise instructions, instead directing victims to contact threat actors through email channels. This approach allows the group to customize extortion demands based on individual victim profiles and stolen data value.
Recent intelligence indicates the organization has adapted its tactics to exploit three critical vulnerabilities in SimpleHelp remote monitoring and management software, tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726. Security researchers confirm these vulnerabilities can be chained together, allowing attackers to raise privileges to administrator level and execute arbitrary code, completely compromising targeted systems.
Healthcare organizations face particularly severe risks from Play ransomware‘s evolving tactics. The American Hospital Association’s deputy national advisor for cybersecurity highlighted the importance of healthcare cybersecurity teams understanding these tactical changes, noting that the double-layered extortion model poses exceptional threats to healthcare delivery systems. Play ransomware demonstrated exceptional adaptability throughout 2024, continuously evolving its operational methods to counter defensive measures.
Federal authorities responded to the escalating threat with a joint advisory issued June 4, 2025, by the FBI, CISA, and Australian Cyber Security Centre. This guidance updates previous December 2023 recommendations, incorporating new intelligence about the group’s evolving tactics and techniques.
Network defenders receive recommendations to conduct extensive risk assessments, prioritize system modernization, and monitor for SimpleHelp vulnerability exploitation.
Healthcare organizations are particularly directed to AHA resources at aha.org/cybersecurity for current threat intelligence, whereas critical infrastructure operators must accelerate defensive preparations against this expanding threat.
