Skip to main content
close search
site logo

FBI, CISA warn Play ransomware targeting critical infrastructure with evolving techniques

The hacker group has breached hundreds of organizations and is working with others to exploit flaws in a popular remote support tool.

Published June 5, 2025
David Jones's headshot
Reporter
The FBI seal
The FBI seal hangs in the Flag Room at the bureau's headquarters in Washington, D.C. Chip Somodevilla via Getty Images

The FBI and the Cybersecurity and Infrastructure Security Agency on Wednesday warned that the Play ransomware gang has been targeting U.S. critical infrastructure and other organizations using evolving techniques.

The ransomware group was among the most active in 2024 and has targeted a wide range of businesses and infrastructure providers in North America, South America and Europe, the agencies said in a joint advisory. As of May, the group had breached approximately 900 organizations in multiple countries since launching in June 2022, according to the FBI.

Since mid-January, multiple ransomware groups, including initial access brokers affiliated with Play, have targeted vulnerabilities in a remote support tool called SimpleHelp. Researchers disclosed those flaws in January.  

The new advisory updates the government’s original December 2023 warning about the Play ransomware group, which is also known as PlayCrypt. The hackers have previously been blamed for attacks targeting ConnectWise ScreenConnect and Rackspace

The recent attacks exploiting SimpleHelp involve three flaws discovered by security firm Horizon3.ai.

The most notable flaw, CVE-2024-57727, is a path traversal vulnerability that allows an unauthenticated attacker to download arbitrary files from the SimpleHelp server.

“RMM (Remote Monitoring and Management) tools like SimpleHelp have historically been high-value targets for attackers because, if compromised, they enable attackers to easily get initial access into multiple client environments at once,” Naveen Sunkavally, chief architect, Horizon3.ai, told Cybersecurity Dive via email.

SimpleHelp released security updates to address the three vulnerabilities and urged customers to apply the fixes immediately. 

CISA added CVE-2024-57727 to its known exploited vulnerabilities catalog in February.

In May, researchers at Sophos disclosed an incident where a threat actor gained access to a managed service provider’s SimpleHelp tool and deployed the DragonForce ransomware, although the researchers do not see any direct ties between DragonForce and Play.

Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, said only nine of the Play ransomware attacks impacted healthcare and appear to be focused mainly on other sectors. 

“That said, I’d encourage all organizations, including those in health, to take the joint advisory seriously and follow the recommendations,” Weiss said.   

Editors' picks

Company Announcements

View all | Post a press release
22 Percent Failure Rate Across Top Endpoint Security Controls Undermines Enterprise Resilience…
From Absolute Security
June 06, 2025
Bitcoin Tops $104K as Cloud Mining Gains Momentum — JA Mining Offers Regulated Entry Point and…
From JAMining
May 17, 2025
JAMining logo
Fraud on the Rise: Highway Blocks 400,000 Scams in Q1 2025
From Highway
May 19, 2025
Highway logo
Mckinsey Nextrend: 5 Tools That Help You Sleep Better at Night (If You’re a CISO)
From Mckinsey Nextrend
June 04, 2025
Editors' picks
Latest in Threats
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.