Play Ransomware Group Sounds Alarm: Special Virus for Every Attack, Threat via Phone, Special Encryption for VMware!

Play Group Targets 900 Institutions
According to the US Federal Bureau of Investigation (FBI), the Play ransomware group has targeted approximately 900 institutions to date. The group has not only increased the number of attacks, but also diversified its attack techniques. As of May 2025, it continues to carry out active attacks.
 
New Attack Method: SimpleHelp Vulnerability
The vulnerability, coded CVE-2024-57727, was announced to the public on January 16, 2025. The Play group and its threat actors quickly began to exploit this vulnerability. The group, which infiltrated systems via a remote desktop access tool called SimpleHelp, is calling on organizations using this software to update.
 
Ransomware Tailored to Each Victim
To avoid detection, the Play group recompiles its ransomware files for each attack, creating a unique virus for each victim. This method makes detection difficult for antivirus software, revealing the group's technical capabilities.
 
New Threat Type: Telephone Intimidation
The group not only threatens victims by e-mail, but now also by calling them directly. They reach out to numbers belonging to different units of the institutions and put pressure on them by saying, 'We will leak your data'. Specially created e-mail addresses with the extensions "@gmx.de" or "@web.de" are used for each victim.
 
VMware Systems Special Target
The Play group has developed a ransomware specifically designed for VMware ESXi hypervisor systems. It shuts down virtual machines and locks virtual machine files with AES-256 encryption. At the same time, they replace the welcome message in the system interface with a ransom note.
 
Their Own Spyware: GRIXBA
The information-stealing software, called GRIXBA, is a special spy tool developed by the group. This software scans network structures, detects antivirus software and tries to hide under the identity of Zabbix 2023.
 
What Should Institutions Do?
According to CISA's recommendations, the precautions to be taken are listed as follows:
 
    Apply the CVE-2024-57727 patch immediately.
 
    Enable multi-factor authentication, especially on VPN and email systems.
 
    Review your network segmentation.
 
    Check your offline backups.
 
    Update your incident response plan.
 
The Play group is no longer just a ransomware group, but an organized cybercrime network. They pose a serious threat with their rapid technical adaptation, rapid exploitation of new vulnerabilities, and psychological pressure methods.
 
 
 
Source: CUMHA - CUMHURS NEWS AGENCY