The latest government advisory from CISA highlights that Play is now using a new software vulnerability (CVE-2024-57727) in a tool called SimpleHelp, which is often used by IT teams to manage computers remotely. Once Play gets in, they use PowerShell (a common admin tool) to take control, which means they’re blending in with normal activity and avoiding many traditional defenses.
Even more worrying, the ransomware itself is custom-built for every attack. That means tools that rely on spotting known malware files won’t work — because there are no reused files to detect. Every attack looks different on the surface.
So, if your defenses are based on known threats and fixed indicators, they may already be out of date. To stop Play now, you need security that looks for behavior, not just files.
New clues for detection: what to watch for now
One of the biggest changes in how Play ransomware operates is the use of custom tools (many of which have only recently been spotted in the wild). These tools are designed to steal sensitive data, shut down security systems, and quietly move through your network before encryption ever begins.
Some examples flagged by the FBI and CISA:
- HRsword.exe: shuts down antivirus protections so Play can operate unnoticed.
- Grixba: gathers information about your network and security tools.
- Usysdiag.exe: tampers with Windows certificate settings, potentially weakening system trust.
- Custom PsExec: a modified version of a well-known tool used for remote command execution.
What’s critical here is that these aren’t random hacking tools. They are purpose-built to work together, allowing Play to quietly disable defenses, find valuable data, and prepare for encryption without triggering alerts.
Security teams need to move beyond basic threat signatures and instead focus on detecting suspicious behaviors like:
- Tools that suddenly start scanning your Active Directory.
- Files being compressed in large volumes (a sign of data theft).
- Unusual remote access activity using legitimate-looking tools.
If your security operations team isn’t yet looking for these patterns across network traffic and identity activity, it’s time to upgrade your detection strategy.
The pressure tactics are escalating
Play isn’t just using more advanced tools, they’re also getting more aggressive with their victims. Once inside a company’s network, Play follows a double-extortion strategy: they steal data before encrypting it, then demand payment not just to unlock systems, but to prevent public leaks.
What’s new in 2025 is how personal their pressure tactics have become.
According to the updated CISA advisory:
- Victims receive ransom notes via email, but these don’t include payment instructions. Instead, companies are told to contact a unique email address (ending in @gmx.de or @web.de).
- In many cases, threat actors call the company directly (often using publicly available numbers like customer support lines) to pressure employees into responding and paying.
This marks a shift from technical extortion to human-driven harassment. It adds a layer of stress and confusion, especially when employees outside the security team are targeted.
For CISOs, this means two things:
- Incident response planning must include communications and HR, not just IT. Help desk and support teams should know how to recognize and report suspicious calls or emails.
- Legal and PR preparation is now essential. If Play follows through on data leak threats, the fallout won’t just be technical. It could impact brand trust, compliance, and customer relationships.
The takeaway? Play is evolving from a ransomware group to a fully operational extortion business, using every angle (technical, emotional, and reputational) to force payment.
ESXi servers are now a prime target
Play isn’t just going after Windows machines anymore. Their latest attacks include a version of their ransomware specifically designed to hit VMware ESXi servers: the systems many organizations use to run virtual machines.
Why this matters: ESXi environments often host critical business services, and attackers know that if they bring those down, they have maximum leverage to demand payment.
Here’s what the updated CISA report reveals about Play’s ESXi tactics:
- The ransomware shuts down all running virtual machines before encrypting files (this ensures maximum disruption).
- It targets specific file types related to virtual machines (like .vmdk, .vmem, and .nvram).
- It places a custom ransom note directly into the system and even changes the ESXi login message to show the ransom demand.
- Like the Windows version, this ESXi variant is custom-built for each victim, making it harder to detect using traditional antivirus or static rules.
This is a major development. Many security tools still struggle with visibility and protection inside ESXi environments — especially agent-based ones that aren’t designed for hypervisors.
How Vectra AI helps you detect and stop Play
Play ransomware’s new tactics (custom tooling, behavior evasion, ESXi targeting, and psychological pressure) show just how quickly attackers are adapting.
The truth is, most traditional tools can't keep up. Static IOCs, file-based detection, and basic antivirus weren’t built for this kind of threat.
That’s where the Vectra AI Platform makes the difference.
Unlike legacy tools that rely on spotting known malware, Vectra AI continuously analyzes behavior across your hybrid environment.
Here’s how that helps you stay ahead of Play:
Coverage across the entire hybrid attack surface
Play targets everything, from Active Directory and VPNs to cloud environments and ESXi servers. Vectra AI delivers agentless, real-time visibility across all of it. That includes:
- Monitoring identity activity across Azure AD and on-prem AD
- Observing lateral movement and privilege escalation inside the network
- Detecting abuse in virtualized environments like ESXi, even when traditional tools go blind
Clarity through AI-driven signal, not alert noise
When Play moves, it doesn’t trigger obvious alarms. It blends in, using stolen credentials and IT tools like PowerShell or PsExec. Vectra AI cuts through the noise with AI-driven behavioral analysis, spotlighting:
- Abnormal account behavior tied to known attacker patterns
- Suspicious file encryption and data staging activity
- Use of backdoors and custom tooling even if it’s never been seen before
Control to respond before impact
Play's custom binaries and per-target builds are designed to evade slow responders. Vectra AI empowers SOC teams with:
- Automatic prioritization of the highest-risk behaviors
- Context-rich detections that reduce time to investigation
- Actionable insights to contain threats early, before encryption begins
Ready to see how it works?
Watch a self-guided demo of the Vectra AI Platform and learn how you can detect and stop Play—before the encryption starts.