• Home
  • cyber
  • Krispy Kreme: FBI Aware of 900 Organizations Hit by Play Ransomware
cyber Ransomware

Krispy Kreme: FBI Aware of 900 Organizations Hit by Play Ransomware

Jun 5, 2025 2 min read
Krispy Kreme: FBI Aware of 900 Organizations Hit by Play Ransomware

Play Ransomware Gang Hits 900 Victims in Three-Year Spree, Governments Warn

The Play ransomware gang, also known as Playcrypt, has compromised approximately 900 organizations since its emergence in June 2022, according to an updated advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Australian Cyber Security Centre (ACSC). The group employs double-extortion tactics, encrypting systems while also exfiltrating sensitive data to pressure victims into paying ransoms.

Initially reported to have targeted around 300 victims by October 2023, Play has since escalated its operations, becoming one of the most active ransomware groups in 2024. The latest advisory, released in May 2025, highlights new tactics, techniques, and procedures (TTPs) observed in recent attacks, including the exploitation of three critical vulnerabilities in the SimpleHelp remote monitoring and management (RMM) software. Tracked as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, these flaws can be chained to gain administrator privileges and execute arbitrary code, fully compromising vulnerable systems.

Play’s operators evade detection by recompiling the ransomware for each attack, tailoring it to specific targets. Victims are contacted via unique email addresses (using @gmx.de or @web[.]de domains) or phone calls, with threat actors often routing extortion demands to publicly listed numbers, such as help desks or customer service lines. The advisory also warns of an ESXi variant of the ransomware, which shuts down virtual machines (VMs) and encrypts related files using randomly generated per-file keys. Like the Windows variant, the ESXi version is recompiled for each campaign and includes command-line flags for targeted encryption or debugging.

The joint advisory underscores Play’s growing threat as the group continues to refine its methods and expand its victim count.

Source: https://www.securityweek.com/fbi-aware-of-900-organizations-hit-by-play-ransomware/

Krispy Kreme cybersecurity rating report: https://www.rankiteo.com/company/krispy-kreme

"id": "KRI1768390561",
"linkid": "krispy-kreme",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '900'}],
 'attack_vector': ['Exploitation of vulnerabilities in SimpleHelp RMM software',
                   'Initial access brokers'],
 'customer_advisories': 'Victims contacted via email or phone for extortion '
                        'purposes.',
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally identifiable '
                                              'information',
                                              'Financial data']},
 'date_publicly_disclosed': '2023-12',
 'description': 'The Play ransomware gang has made roughly 900 victims over '
                'the past three years, engaging in double-extortion tactics '
                'that include exfiltrating victims’ data and leveraging it for '
                'extortion, in addition to encrypting systems. The group is '
                'also known as Playcrypt and has been active since June 2022. '
                'The US and Australian governments released an updated '
                "advisory on the group's tactics, techniques, and procedures "
                '(TTPs).',
 'impact': {'brand_reputation_impact': True,
            'data_compromised': True,
            'identity_theft_risk': True,
            'operational_impact': 'Encryption of critical files and VMs, '
                                  'leading to operational disruption',
            'systems_affected': ['Windows systems', 'ESXi virtual machines']},
 'initial_access_broker': {'entry_point': 'Exploitation of SimpleHelp RMM '
                                          'software vulnerabilities'},
 'investigation_status': 'Ongoing',
 'motivation': ['Financial gain', 'Data extortion'],
 'post_incident_analysis': {'root_causes': ['Exploitation of unpatched '
                                            'vulnerabilities in SimpleHelp RMM '
                                            'software']},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': 'Play (Playcrypt)'},
 'references': [{'date_accessed': '2025-05',
                 'source': 'CISA, FBI, and ACSC Advisory'},
                {'source': 'Related Articles'}],
 'response': {'communication_strategy': 'Victims contacted via unique @gmx.de '
                                        'or @web.de emails, and some via phone '
                                        'for extortion'},
 'stakeholder_advisories': 'US and Australian government agencies released '
                           'updated TTPs and warnings about the Play '
                           'ransomware gang.',
 'threat_actor': 'Play ransomware gang (Playcrypt)',
 'title': 'Play Ransomware Gang Activity',
 'type': 'Ransomware',
 'vulnerability_exploited': ['CVE-2024-57727',
                             'CVE-2024-57728',
                             'CVE-2024-57726']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.