CISA Releases TTPs & IoCs for Play Ransomware That Hacked 900+ Orgs

The Cybersecurity and Infrastructure Security Agency (CISA), alongside the Federal Bureau of Investigation (FBI) and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), has released detailed Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) for the notorious Play ransomware group.

As of May 2025, the FBI has identified approximately 900 entities allegedly exploited by these threat actors, underscoring the significant scale and impact of this ransomware variant across North America, South America, and Europe since its emergence in June 2022.

Known also as Playcrypt, this ransomware group has been among the most active in 2024, targeting a broad spectrum of businesses and critical infrastructure with a sophisticated double extortion model.

The advisory, updated on June 4, 2025, details how Play ransomware actors gain initial access by exploiting vulnerabilities in public-facing applications, such as FortiOS (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange ...