TZUTC: -0500
MSGID: 1173.consprcy@1:2320/105 2ca83105
PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0
TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FBI warns Play ransomware hackers have hit nearly a thousand US firms

Date:
Thu, 05 Jun 2025 14:28:00 +0000

Description:
Play hackers have added phone calls to their extortion tactics, and are
targeting more flaws.

FULL STORY

Play Ransomwares body count is almost hitting four digits, a new warning from
top legal enforcement has revealed, urging businesses to stay on guard 
against attacks. 

In an updated security advisory, published by the FBI, CISA, and the
Australian Signals Directorates Australian Cyber Security Centre (ASDs ACSC),
it was said that Play and its affiliates exploited approximately 900 
entities. 

Play Ransomware, also known as Playcrypt, is an infamous ransomware operator.
It is known for using the atypical triple-extortion method in which, besides
encrypting and exfiltrating files, it also calls its victims on the phone to
convince them to pay up.

SimpleHelp flaws targeted 

The security agencies security advisory has been updated to reflect changes
Play and its affiliates made in recent times. For example, it was said that
the victims get a unique @gmx.de, or @web.de email address, through which
theyre invited to communicate with the attackers. 

Furthermore, the group seems to have added new vulnerabilities to the ones
they were already targeting. Besides FortiOS (CVE-2018-13379, and
CVE-2020-12812) and Microsoft Exchange (ProxyNotShell CVE-2022-41040 and
CVE-2022-41082) bugs, they are now exploiting CVE-2024-57727 in remote
monitoring and management (RMM) tool SimpleHelp, which theyre using for 
remote code execution (RCE) capabilities. 

This vulnerability was first spotted in mid-January 2025, and has been
exploited since. 

To make things even worse, the agencies are saying that the Play ransomware
binary is recompiled for every attack, which means it gets a new, unique 
hash, for each deployment. This complicates anti-malware and antivirus 
program detection. 

Play was first spotted around 2020, and in the past, was known for targeting
Windows-powered devices, but in late July 2024, security researchers saw a
Linux variant targeting VMWare ESXi environments. 

In a technical breakdown, Trend Micros Threat Hunting team said at the time
that it was the first time Play was seen targeting ESXi environments, and it
could be that the criminals are broadening their attacks across the Linux
platform. 

 Via The Register

======================================================================
Link to news story:
https://www.techradar.com/pro/security/fbi-warns-play-ransomware-hackers-have-
hit-nearly-a-thousand-us-firms

$$
--- SBBSecho 3.20-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428
SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200
SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 3634/12 5075/35
PATH: 2320/105 229/426