FBI Warns of Escalating AI-Driven Play Ransomware Attacks Targeting Nearly 1,000 U.S. Firms

The FBI has issued an updated advisory warning that Play Ransomware (Playcrypt) has breached approximately 900 U.S. organizations to date. Known for its triple-extortion tactics, the group not only encrypts and exfiltrates sensitive data but now makes direct phone calls to victims. This is a rare and aggressive method aimed at intensifying pressure to pay ransoms. 

First observed in 2020, Play Ransomware has since evolved. It recently expanding its attack surface to include Linux-based VMware ESXi environments, a notable shift from its earlier focus on Windows systems. In July 2024, security researchers at Trend Micro reported the group’s first documented attack on ESXi, signaling broader intentions to target enterprise virtual infrastructures. 

Key developments highlighted in the advisory include: 

• In addition to known flaws, Play has added SimpleHelp’s CVE-2024-57727 to its arsenal, enabling remote code execution (RCE). 

• Play’s ransomware payload is recompiled for every attack, generating unique file hashes, which severely hampers traditional antivirus and malware detection. 

• Victims are contacted via @gmx.de or @web.de email addresses and then by phone, pushing the boundaries of psychological extortion. 

As AI-powered threat actors become more agile and personalized in their campaigns, experts warn that enterprises must adopt proactive AI-integrated security frameworks and ensure continuous vulnerability patching across all systems. 

The FBI’s advisory serves as a critical reminder that modern ransomware groups are leveraging AI-enhanced tactics and evolving infrastructure exploits. This make them among the most formidable cyber threats in 2025. Organizations are urging to update detection tools, strengthen RMM security, and prepare incident response protocols to mitigate risks. 

 

Source: 

https://www.techradar.com/pro/security/fbi-warns-play-ransomware-hackers-have-hit-nearly-a-thousand-us-firms