CISA updates Play ransomware guidance as victim count nears 900
A joint CISA, FBI, and ASD advisory update says Play ransomware has hit roughly 900 entities and remains active across multiple regions and sectors.
What happened
CISA, the FBI, and the Australian Signals Directorate’s Australian Cyber Security Centre issued an updated advisory on Play ransomware in June 2025. The update says the group, also known as Playcrypt, has targeted businesses and critical infrastructure across North America, South America, and Europe since June 2022. According to the advisory, the FBI was aware of approximately 900 entities allegedly exploited by the group as of May 2025.
Why it matters
The operational significance is not just the victim count. The update reflects that Play remains active enough to justify refreshed public guidance, including new tactics, techniques, procedures, and updated indicators of compromise. When a long-running ransomware operation keeps generating updated joint advisories, that is usually a sign that defenders should treat it as a durable threat rather than yesterday’s campaign.
Who is affected
- enterprises with exposed or weakly managed internet-facing systems
- operators in critical infrastructure sectors
- security teams relying on older detection logic or stale ransomware playbooks
What to watch next
- whether further advisory updates describe meaningful shifts in access or extortion methods
- whether sector-specific incidents begin attributing activity to Play or related infrastructure
- whether organisations refresh detection coverage using the latest indicators and TTPs rather than older reporting
Sources and links
Verification status
This briefing is based on an official joint advisory update from CISA and partner agencies.