In an update by a joint advisor with CISA and Australian Cyber Security Center, FBI stated that Play Rainmware Gang had violated around 900 organizations by May 2025, three times the number of victims in October 2023.
“Since June 2022, the drama (also known as Plancript) Rainmware Group has influenced a wide range of businesses and significant infrastructure in North America, South America and Europe. Play Rancemware was one of the most active ransomware groups in 2024,” FBI was one of the most active rangeswear groups in FBI, “FBI was one of the most active rangeswear groups in FBI,” FBI was one of the most active ransomware groups in FBI in FBI, FBI in FBI, FBI in FBI, FBI in FBI in FBI, FBI in FBI in FBI, “FBI in FBI was one of the most active ransomware groups in FBI in FBI in FBI, FBI in FBI in FBI. Was, “FBI was one of the most active ransomware groups in the FBI. , Wags,
“As of May 2025, the FBI was allegedly aware of about 900 affected institutions allegedly exploited by ransomware actors.”
Today’s update also notes that the gang uses renovated malware in every attack, making it more difficult for safety solutions to detect and block it. Additionally, some victims have been approached via phone calls and threatened to pay ransom to prevent their stolen data from being leaked online.
Since the beginning of the year, early access brokers with relationships to play ransomware operators have also explained several weaknesses (CVE-2024-577726, CVE-2024-577727, and cve-2024-57728) in remote monitoring and management equipment in remote code execution attacks.
In such an incident, actors with unknown threats targeted the weak Simpalhalp RMM client to create admin accounts, backdoor the system compromised with Sliver Beacon, probably prepared them for future ransomware attacks.
Play Rainsmore-e-Service (RAAS) Operation
The Play Rainsmware Gang came to light about three years ago, in June 2022 to help the victims to help in the forums of BlappingComotar. Before deploying the ransomware on the victim’s network, to steal sensitive documents from compromise systems and to put them in danger to the gangs of the gang to steal the pressure victims.
However, unlike other ransomware operations, the play ransomware uses email as a dialogue channel and will not provide a torment page link to the victims.
The ransomware gang also uses a custom VSS copy tool that helps to steal files from shadow volume copies even when used by other applications.
The previous high-profile play ransomware victims include Cloud Computing Company Rackspace, California, Oklaland city, Dallas County, Car Retailer Giant Arnold Clarke, Belgium City of Antwarp, and recently, Donant Chain Crispy Cream and American Semacter Micorchip Technology.
Under the guidance issued by the FBI, CISA, and Australian Cyber Security Center, security teams are urged to prioritize their systems, software and firmware to prioritize the possibility that unbalanced weaknesses are exploited in the play ranges.
Defenders are also advised to apply multiproor authentication (MFA) in all services, focus on VPN, webmail, and focus on accounts with access to significant systems in the network of your organizations.
Additionally, they should maintain offline data backup and develop and test a recovery routine as part of their organization’s standard safety practices.
Manual patching is old. It is slow, error-prone and hard for scale.
On June 4, join Kandji + Tines, to see why the older methods are short. See the real -world examples of how modern teams use automation to patch rapid patching, risk cuts, obedient stay and leaving complex scripts.
