FBI: Play ransomware gang has attacked 300 orgs since 2022

The ransomware gang behind several devastating attacks on major American cities has allegedly launched more than 300 successful incidents since June 2022, according to cybersecurity officials in the United States and Australia.

The FBI joined the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre in publishing an advisory about the Play ransomware gang on Monday.

This year alone, the group left cities like Oakland and Lowell, Massachusetts, as well as Dallas County, scrambling for days to deal with encrypted devices and troves of stolen citizen data. The government of Switzerland also warned in June that the group had stolen data during an attack on one of its IT providers.

The agencies said the ransomware gang has attacked “a wide range of businesses and critical infrastructure in North America, South America, and Europe” over the last year-and-a-half. The FBI was aware of about 300 “affected entities,” as of October. In Australia, the first incident involving the group was observed in April, with the most recent in November.

According to the notice, the group operates with more discretion than some of its competitors. In most cases, the gang does not include its demands in the ransom note, instead asking victims to contact them through email.

“The Play ransomware group is presumed to be a closed group, designed to ‘guarantee the secrecy of deals,’ according to a statement on the group’s data leak website,” the agencies said. “Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data.”

The gang typically exploits stolen account credentials and public-facing applications — targeting vulnerabilities in popular products like the FortiOS vulnerabilities CVE-2018-13379 and CVE-2020-12812, as well as ProxyNotShell vulnerabilities in Microsoft tools.

The hackers use a variety of tools to steal information and to scan for and disable anti-virus software.

The gang typically adds the .play extension to filenames after splitting compromised data into smaller portions and exfiltrating it to hacker-controlled accounts.

“The Play ransomware group uses a double-extortion model, encrypting systems after exfiltrating data. The ransom note directs victims to contact the Play ransomware group at an email address ending in @gmx[.]de,” they said.

“Ransom payments are paid in cryptocurrency to wallet addresses provided by Play actors. If a victim refuses to pay the ransom demand, the ransomware actors threaten to publish exfiltrated data to their leak site on the Tor network ([.]onion URL).”

When the Play group first emerged in mid-2022, it targeted government entities in Latin America, according to Trend Micro. More recently it drew headlines for a damaging attack on the city of Oakland, which spent weeks recovering from the incident, as well as others involving Stanley Steemer and the organization that runs the transit system for central Virginia.

In April, the gang published 600 gigabytes of Oakland government data after releasing an initial batch of 10GB in March. The leaks included troves of sensitive data stolen from the city’s police department, driver’s license numbers, Social Security numbers and even information on the city’s elected officials.