Latest news with #PlayRansomware
Forbes
5 days ago
- Business
- Forbes
FBI Issues Critical Cyberattack Alert — Act Now As Victims Skyrocket
FBI issues Play ransomware warning as attacks multiply. The Federal Bureau of Investigation has issued a joint cybersecurity advisory in conjunction with the U.S. Cybersecurity and Infrastructure Security Agency, as the number of confirmed observed victims of Play ransomware attacks skyrocketed in May. The threat actors have, the FBI warned, impacted victims covering a broad spectrum of organisations, including businesses as well as critical infrastructure providers, in both North and South America, as well as across Europe. Here's what you need to know and, more importantly, do to mitigate the chances of your organisation becoming the next on the list. As part of a joint effort between the FBI, CISA and the Australian Cyber Security Centre, the latest update to the Play ransomware cybersecurity advisory comes as result of new investigations this year that have uncovered an evolution of the cybercriminal group's tactics, techniques and procedures. In May, the FBI confirmed that it had become aware of 900 organizations that had been exploited by the crime gang and had fallen victim to the Play ransomware attacks. To put that in some perspective, it is three times the number when the FBI last released such information. The joint critical cybersecurity advisory, which forms part of the ongoing Stop Ransomware campaign, aims to help organizations best defend themselves against attacks by keeping them informed of changes to the aforementioned tactics, techniques, and procedures, as well as new indicators of compromise that can be useful in attack detection efforts. Advisory AA23-352A warned that Play is thought to be what is known as a closed ransomware group actor, acting alone to 'guarantee the secrecy of deals' when it comes to the exfiltrated data that is held to ransom. The ransom notes that are left with the victim do not, the advisory stated, 'include an initial ransom demand or payment instructions; rather, victims are instructed to contact the threat actors via email.' Those emails have one of two German email domains, but the actual email address is unique in every case. 'A portion of victims are contacted via telephone,' the FBI said, 'and are threatened with the release of the stolen data and encouraged to pay the ransom.' These tactics are designed to lead the victim straight onto a negotiation footing where the attacker has the upper hand. Thought to be linked to a North Korean state-sponsored attack group, one that is known to be part of the Democratic People's Republic of Korea's 'Reconnaissance General Bureau,' the Play ransomware campaign shows no sign of slowing down. For that to happen, organizations need to up their game and get their defenses in order. Erecting mitigation barricades is the only answer to such determined ransomware actors. The FBI has recommended the following mitigating actions to be taken as a matter of some urgency:
Forbes
08-05-2025
- Forbes
Play Ransomware Zero-Day Attacks — US, Saudi Arabia Have Been Targeted
Play ransomware exploited Windows zero-day. The ransomware threat is far from over, despite the internal private communications of some of the cybercriminal gangs being leaked, snitches being offered big bucks for information on gang members, and the childishness of DOGE-trolling attackers demanding $1 trillion payments. If you want evidence of this, look no further than a recent report confirming a 5,365 ransomware rampage. Now it has been revealed that the Play ransomware malware has been used by cybercrime groups exploiting a Windows zero-day vulnerability in attacks across multiple countries, including the U.S., although not all were successful. Here's what you need to know. A joint investigation by the Microsoft Threat Intelligence Center and Microsoft Security Response Center found that a zero-day vulnerability in the Windows Common Log File System had been exploited by Play ransomware attackers, before the elevation of privilege issue was fixed by the April Patch Tuesday security update. Targets included real estate and information technology organizations in the U.S., the retail sector in Saudi Arabia, and software in Spain. Now, the Symantec Threat Hunter Team has published an in-depth technological exploration of another, unsuccesful this time, Play ransomware attack exploiting the same CVE-2025-29824 zero-days against an as yet unnamed U.S. company. The Microsoft threat report confirmed that the original attacks had been facilitated by the use of the PipeMagic malware backdoor and attributed them to a threat actor identified as Storm-2460, although no further information has been provided regarding this group. The Symantec Threat Hunter report, meanwhile, has attributed the latest attacks to a cybercrime group identified as Balloonfly, which is linked to multiple incidents involving Play ransomware deployed against businesses in North America, South America and Europe. 'While the use of zero-day vulnerabilities by ransomware actors is rare,' Symantec said, 'it is not unprecedented.' The good news is that the Ballonfly attack, Symantec said, occurred before the Windows patch was released. So, at the risk of stating the obvious, patch management is the best mitigation against falling victim to the Play ransomware menace. At least, that is, as far as this exploit route is concerned. CVE-2025-29824, is a use-after-free memory vulnerability in the Windows Common Log File System driver that can allow an unauthorized attacker to elevate their system privileges locally.
