TZUTC: -0500   
   MSGID: 1173.consprcy@1:2320/105 2ca83105   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FBI warns Play ransomware hackers have hit nearly a thousand US firms   
      
   Date:   
   Thu, 05 Jun 2025 14:28:00 +0000   
      
   Description:   
   Play hackers have added phone calls to their extortion tactics, and are   
   targeting more flaws.   
      
   FULL STORY   
      
   Play Ransomwares body count is almost hitting four digits, a new warning from   
   top legal enforcement has revealed, urging businesses to stay on guard    
   against attacks.    
      
   In an updated security advisory, published by the FBI, CISA, and the   
   Australian Signals Directorates Australian Cyber Security Centre (ASDs ACSC),   
   it was said that Play and its affiliates exploited approximately 900    
   entities.    
      
   Play Ransomware, also known as Playcrypt, is an infamous ransomware operator.   
   It is known for using the atypical triple-extortion method in which, besides   
   encrypting and exfiltrating files, it also calls its victims on the phone to   
   convince them to pay up.   
      
   SimpleHelp flaws targeted    
      
   The security agencies security advisory has been updated to reflect changes   
   Play and its affiliates made in recent times. For example, it was said that   
   the victims get a unique @gmx.de, or @web.de email address, through which   
   theyre invited to communicate with the attackers.    
      
   Furthermore, the group seems to have added new vulnerabilities to the ones   
   they were already targeting. Besides FortiOS (CVE-2018-13379, and   
   CVE-2020-12812) and Microsoft Exchange (ProxyNotShell CVE-2022-41040 and   
   CVE-2022-41082) bugs, they are now exploiting CVE-2024-57727 in remote   
   monitoring and management (RMM) tool SimpleHelp, which theyre using for    
   remote code execution (RCE) capabilities.    
      
   This vulnerability was first spotted in mid-January 2025, and has been   
   exploited since.    
      
   To make things even worse, the agencies are saying that the Play ransomware   
   binary is recompiled for every attack, which means it gets a new, unique    
   hash, for each deployment. This complicates anti-malware and antivirus    
   program detection.    
      
   Play was first spotted around 2020, and in the past, was known for targeting   
   Windows-powered devices, but in late July 2024, security researchers saw a   
   Linux variant targeting VMWare ESXi environments.    
      
   In a technical breakdown, Trend Micros Threat Hunting team said at the time   
   that it was the first time Play was seen targeting ESXi environments, and it   
   could be that the criminals are broadening their attacks across the Linux   
   platform.    
      
    Via The Register   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/fbi-warns-play-ransomware-hackers-have-   
   hit-nearly-a-thousand-us-firms   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428   
   SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200   
   SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426