The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released a critical warning about the sharp rise in Play ransomware attacks. The agencies report that this cyber threat has affected hundreds of organizations across the Americas and Europe, including vital service providers and businesses.
The updated alert comes after the FBI identified over 900 confirmed victims in May alone, which is three times more than previously reported. Cybersecurity experts are urging organizations to act quickly to strengthen their defenses and stay informed about how these cybercriminals operate.
How the Play Ransomware Works
Play ransomware attackers use various advanced methods to break into systems. They often start by targeting services that are accessible from outside, like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs). Once they gain access, they move within the network, stealing login details and aiming to control the system entirely.
The FBI notes that the attackers do not immediately demand payment in their ransom notes. Instead, they leave email addresses that victims must contact. These emails usually come from unique addresses linked to German domains. In some cases, the criminals also make threatening phone calls to pressure victims into paying.
Connections to Other Threat Groups
Investigations suggest that the Play ransomware may be connected to several known hacking groups. Some security researchers believe there could be links to Balloonfly, a cybercrime group involved in earlier ransomware attacks. There have also been reports connecting Play to serious security incidents involving Windows systems and Microsoft Exchange servers.
In the past, attackers have taken advantage of security flaws in popular software, including Microsoft’s Windows and Fortinet’s FortiOS. Most of these security gaps have already been fixed through updates, but systems that remain unpatched are still at risk.
Key Steps to Protect Your Organization
The FBI strongly recommends that all organizations take immediate steps to reduce their risk of falling victim to these attacks. Here are the essential safety measures:
1. Create backup copies of important data and store them in secure, separate locations.
2. Use strong, unique passwords that are at least 15 characters long. Do not reuse passwords or rely on password hints.
3. Enable multi-factor authentication to add extra security to all accounts.
4. Limit the use of admin accounts and require special permissions to install new software.
5. Keep all systems and software up to date by applying security patches and updates promptly.
6. Separate networks to limit how far a ransomware attack can spread.
7. Turn off unused system ports and disable clickable links in all incoming emails.
8. Restrict the use of command-line tools that attackers commonly use to spread ransomware.
Staying alert and following these steps can help prevent your organization from becoming the next target. Cybersecurity is an ongoing effort, and keeping up with the latest updates is key to staying protected.
