CISA, the FBI, and international partners have issued urgent alerts warning that ransomware groups such as Phobos, Rhysida, Black Basta, and Play are aggressively and continuously targeting US critical infrastructure. These attacks, which frequently use double extortion, now threaten essential sectors such as water, energy, healthcare, and manufacturing by actively exploiting vulnerabilities, misconfigured remote desktop protocol (RDP) services, and virtual private networks.
Key Threats and Targets
- CISA highlights ongoing ransomware threats targeting critical infrastructure, requiring urgent attention.
- Threat actors are focusing on water, energy, health care, public health, and manufacturing, underscoring the need for vigilance.
- Attackers are quickly exploiting compromised credentials, VPN vulnerabilities, and internet-connected programmable logic controllers (PLCs), posing an imminent threat.
Recommended Mitigations
CISA urges organizations to promptly implement these ransomware defenses.
- Enable multi-factor authentication (MFA) for all services, especially webmail, VPNs, and critical systems.
- Restrict RDP use, check for exposed ports, and secure VPNs.
- Keep offline encrypted backups of your data and test them regularly.
Review stopransomware.gov guidance and report incidents to CISA or your FBI field office.
This joint cybersecurity advisory is part of the ongoing #StopRansomware campaign, which provides network defenders with updates on ransomware variants and threat actors. These reports share both recent and historical tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations defend against ransomware. For more advisories and free resources, visit stopransomware.gov.
Note: This advisory was originally published on December 18, 2023. Updates with dates are below:
- June 4, 2025, update. This advisory now details new tactics used by the Play Ransomware Group as of early 2025 and provides updated indicators of compromise to improve threat hunting. Updated IOCs have been removed.
Update June 4 2025
The FBI, CISA, and the Australian Cyber Security Center (ASDs, ACSC) are releasing this joint advisory to share indicators of compromise and tactics identified by the FBI as recently as January 2025, for the Play ransomware group.
End Update
Since June 2022, the Play Ransomware Group, also known as Play Crypt, has impacted many businesses and critical infrastructure across North America, South America, and Europe. Play was among the most active ransomware groups in 2024.
To reduce the risk of playing ransomware, organizations should take these steps.
- Prioritize remediating non-exploited vulnerabilities.
- See guidance above on enabling MFA for webmail, VPNs, and critical accounts.
- Keep software up to date and run regular vulnerability assessments.
Update June 4 2025
As of May 2025, the FBI was aware of about 900 organizations targeted by these ransomware attacks.
End Update
In Australia, the first reported Play ransomware case occurred in April 2023, and the most recent occurred in November 2023.
Play Ransomware is a closed-group setup to ensure the secrecy of transactions, according to its leak website. They use double extortion: data theft followed by encryption. Victims receive extortion letters with no specific payment instructions and must contact the task us by email.
Update June 4 2025
Each target receives a unique@gmx.de or web[.]de email. Some are threatened with data release and pressured to pay.
End Update
The FBI, CISA, and ASD’s ACSC urge organizations to implement the mitigations outlined in this advisory to reduce ransomware risk and impact. Key steps include using multi-factor authentication, maintaining offline backups, having a recovery plan, and keeping all systems and software up to date.
Source: StopRansomware: Play Ransomware
