Fraud Management & Cybercrime,
Healthcare,
HIPAA/HITECH
Advisory Highlights Evolving Threats from Play Ransomware Group
The American Hospital Association (AHA) has issued a warning to hospitals and healthcare organizations regarding an increase in double-extortion attacks by the Play ransomware group. This advisory follows a recent joint alert released by U.S. and Australian cybersecurity agencies outlining the group’s evolving tactics.
According to the FBI, approximately 900 organizations have fallen victim to the Play ransomware, also identified as Playcrypt, as of May 2025. The targeted entities span various sectors and include crucial infrastructure in North America, South America, and Europe. The FBI has highlighted that this group was among the most active ransomware threats last year.
Scott Gee, AHA’s deputy national adviser for cybersecurity and risk, noted that since its emergence in 2022, Play has increasingly focused on healthcare institutions worldwide. He emphasized the group’s potential to significantly disrupt care delivery, not only through direct attacks on hospitals but also by targeting essential third-party suppliers.
The recent warning underscores the group’s dynamic methodologies, which healthcare cybersecurity teams must stay vigilant against. Gee commented that as adversaries adapt their tactics, it is crucial for organizations to keep pace with these changes. The dual-layer extortion strategy employed by Play—coupled with data theft and system encryption—represents a severe risk to healthcare providers.
Insights on Evolving Threats
This advisory builds on earlier notifications about Play ransomware from December 2023. Notable updates include the group’s implementation of unique email addresses for communications and telephonic threats to victims regarding the release of stolen data if ransoms are not paid.
Play typically gains access to network systems by exploiting valid credentials, likely acquired from dark web marketplaces, and taking advantage of vulnerabilities in applications like Fortinet and Microsoft Exchange. Additionally, the group is now reportedly collaborating with initial access brokers who capitalize on vulnerabilities identified within popular remote management tools.
The Play ransomware actors utilize command-and-control tools, such as Cobalt Strike, to assist with lateral movement within victim networks. Upon establishing a foothold, they often exploit unsecured credentials to gain deeper access and deploy sophisticated techniques for exfiltration and encryption. Disturbingly, the ransomware binaries are being recompiled for each attack, generating unique hashes that challenge conventional detection measures.
The AHA indicated that Play operates as a closed entity, employing a double-extortion framework that withholds initial ransom amounts, opting instead to direct victims to initiate contact via email for negotiations. Organizations—especially those in the healthcare sector—are strongly advised to reinforce their defenses against such threats.
Critical cybersecurity measures include addressing known vulnerabilities leveraged by Play, timely software updates, regular assessments, and implementing multifactor authentication across all services, particularly for remote access scenarios. Effective strategies, such as phishing-resistant authentication techniques and stringent access controls, are essential in fortifying defenses against ransomware attacks.
