#StopRansomware: Play Ransomware

This joint FBI/CISA/ASD advisory documents the Play (Playcrypt) ransomware group's widespread, double-extortion operations affecting organizations across multiple regions, detailing initial access vectors (valid account abuse, RDP/VPN, exploitation of multiple CVEs including FortiOS, Microsoft Exchange, and SimpleHelp), discovery/defense-evasion and lateral-movement tooling (Grixba infostealer, Cobalt Strike, Mimikatz, SystemBC), exfiltration and intermittent AES‑RSA encryption behavior (including an ESXi variant), plus IOCs (file hashes, keys) and YARA/Suricata detection rules, with prioritized mitigations and reporting guidance.