Yesterday, CISA, the FBI, and the Australian Cyber Security Centre (ACSC) released a joint Cybersecurity Advisory (CSA), “#StopRansomware: Play Ransomware,” to disseminate Play ransomware group’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified through FBI investigations as recently as October 2023.

Since June 2022, the Play ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors. In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023. The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.

The authoring agencies encourage organizations to review the joint CSA for recommended mitigations to reduce the likelihood and impact of ransomware attacks. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response. To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at CyWatch@fbi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. Access the full advisory at CISA.