Overview

• FBI reports that Play ransomware breached approximately 900 organizations by May 2025, tripling its victim count since October 2023.
• Attackers have exploited unpatched SimpleHelp remote monitoring vulnerabilities (CVE‑2024‑57726, CVE‑2024‑57727, CVE‑2024‑57728) to gain initial access.
• Each attack uses uniquely recompiled malware to evade detection by anti‑malware tools on both Windows and VMware ESXi environments.
• Operators steal sensitive documents and pressure victims through email negotiations and direct phone threats to prevent data leaks.
• A joint advisory from the FBI, CISA and Australian Cyber Security Centre recommends prompt patching, multifactor authentication, network segmentation and offline backups.