As part of the #StopRansomware campaign, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) published an advisory on the Play (or Playcrypt) ransomware group.
Since June 2022, Play has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe, the advisory said. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.
There were 14 attacks by Play against the Food and Ag sector in 2023. They are the third most prolific group watched by the Food and Ag Information Technology-Information Sharing and Analysis Center (IT-ISAC) in terms of attacks by volume. Already in 2024, there are four documented attacks against the sector by Play, according to IT-ISAC.
The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.
The FBI and CISA encouraged organizations to implement cybersecurity recommendations to reduce the likelihood and impact of ransomware incidents, including requiring multifactor authentication, maintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software, and firmware up to date.