CISA Publishes Tactics, Techniques, and Indicators for Defending Against Play Ransomware

On June 4, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Australian Cyber Security Centre (ACSC), released an extensive update to its #StopRansomware advisory on the Play ransomware group.

With over 900 reported victims as of May 2025 and new technical findings from recent FBI investigations, this advisory delivers a deep operational and technical breakdown of Play’s evolving tactics, techniques, and procedures (TTPs).

Technical Analysis: Play Ransomware’s Attack Chain

Initial Access and Exploitation

Play ransomware, also referenced as PlayCrypt, is notorious for its diversified initial access strategy. Threat actors commonly:

• Exploit valid credentials ([T1078]) harvested or purchased on the dark web.
• Abuse public-facing application vulnerabilities ([T1190]), notably in FortiOS (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange (CVE-2022-41040, CVE-2022-41082).
• Leverage remote services such as RDP and VPN ([T1133]) for direct entry.

A critical update highlights post-2025 attacks exploiting vulnerabilities in the SimpleHelp remote monitoring tool (CVE-2024-57727) for remote code execution ([T1059.001]).

Discovery, Defense Evasion, and Lateral Movement

Play uses a suite of open-source and custom tools to expand access and evade detection:

• AdFind, Bloodhound, Grixba: For Active Directory and network reconnaissance.
• GMER, IOBit, PowerTool: Disables anti-malware solutions ([T1562.001]).
• PowerShell scripts: Used for targeting Microsoft Defender and removing traces ([T1070.001]).

Lateral movement is achieved via Cobalt Strike, SystemBC, and PsExec, while Mimikatz and WinPEAS aid privilege escalation and credential theft. Distribution of payloads often leverages Group Policy Objects ([T1484.001]).

Data Exfiltration and Encryption

Exfiltration involves segmenting and compressing data with WinRAR ([T1560.001]) and transferring via WinSCP ([T1048]). Encryption uses a custom AES-RSA hybrid model with intermittent encryption, skipping system files and appending .PLAY to filenames ([T1486]).

Example: Play Ransomware ESXi Variant

The ESXi variant executes several shell commands for VM enumeration and shutdown, then encrypts VM-related files (e.g., .vmdk, .vmx) with AES-256. It supports advanced command-line flags for debugging and selective targeting.

YARA rule sample for ESXi variant:

textrule PlayForESXi {
    meta:
        description = "Detects PLAY ransomware targeting ESXi Hypervisors"
        date = "2025-01"
    strings:
        $PLAY_ext_str = ".PLAY" fullword
        $targeted_ext_vmdk = ".vmdk" fullword
        $encrypt_str = "encrypt:"
        $vmfs_path_str = "/vmfs/volumes"
    condition:
        all of them
}

Grixba Infostealer Detection (YARA/Suricata snippet)

textrule GRXBA {
    meta:
        description = "Detects the infostealer GRXBA version 1.1.3.0"
        date = "2025-01"
    strings:
        $GRB_NET_exe_hex = { 47 52 42 5F 4E 45 54 2E 65 78 65 00 }
    condition:
        all of them
}

Suricata rule for SMB path scanning (excerpt):

textalert smb any any -> any any (msg:"GRIXBA web history scanning detected - potential indicator of imminent PLAY Ransomware attack";
    flowbits:isset,GRXBA_webhist_path_1_detected; ... ;sid:1900011; rev:1;)

Indicators of Compromise and Defense Recommendations

CISA provides a continually updated list of IOCs, including hashes for Play-specific malware and infrastructure. Organizations are urged to deploy the published YARA and Suricata signatures for early detection.

Key takeaway: The Play ransomware group demonstrates high adaptation, tool repurposing, and campaign-to-campaign binary customization.

Defenders must implement layered security controls, actively hunt for IOCs, and routinely validate their detection capabilities against the MITRE ATT&CK-mapped techniques outlined in this advisory.