The Cybersecurity and Infrastructure Agency (CISA) has partnered with U.S. and Australian organizations to release a joint cybersecurity advisory (CSA) on Play ransomware. 

Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe and Australia.

The CSA encourages organizations review and implement the recommendations provided to reduce the likelihood and impact of Play and other ransomware incidents. This includes requiring multifactor authentication, maintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software and firmware up to date.

Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America and Europe. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors. In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023.

Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.