Play’s New Tactics Bypass Traditional Defenses. Are You Ready? by Lucie Cardiet

Play ransomware is actively exploiting CVE-2024-57727 in SimpleHelp to gain remote access, then using PowerShell and custom-built tooling (e.g., HRsword.exe, Grixba, Usysdiag.exe, modified PsExec) to disable defenses, exfiltrate data, and deploy per-victim ransomware — including variants that target VMware ESXi. The group conducts double-extortion and increasingly uses direct human pressure (emails and phone calls); the report urges behavior-based detection across hybrid environments and highlights Vectra AI as a vendor solution.