Update, June 7, 2025: This story, originally published on June 5, has been updated with a new FBI warning regarding yet another critical cyberattack, known as BADBOX 2.0, as well as additional technical information regarding the original Play ransomware joint cybersecurity advisory and the Balloonfly cybercrime group, which is known to be associated with the threat itself.

The Federal Bureau of Investigation has issued a joint cybersecurity advisory in conjunction with the U.S. Cybersecurity and Infrastructure Security Agency, as the number of confirmed observed victims of Play ransomware attacks skyrocketed in May. The threat actors have, the FBI warned, impacted victims covering a broad spectrum of organisations, including businesses as well as critical infrastructure providers, in both North and South America, as well as across Europe. Here’s what you need to know and, more importantly, do to mitigate the chances of your organisation becoming the next on the list.

ForbesNever Answer These Calls On Your Smartphone, Google Warns

As part of a joint effort between the FBI, CISA and the Australian Cyber Security Centre, the latest update to the Play ransomware cybersecurity advisory comes as result of new investigations this year that have uncovered an evolution of the cybercriminal group’s tactics, techniques and procedures. In May, the FBI confirmed that it had become aware of 900 organizations that had been exploited by the crime gang and had fallen victim to the Play ransomware attacks. To put that in some perspective, it is three times the number when the FBI last released such information.

The joint critical cybersecurity advisory, which forms part of the ongoing Stop Ransomware campaign, aims to help organizations best defend themselves against attacks by keeping them informed of changes to the aforementioned tactics, techniques, and procedures, as well as new indicators of compromise that can be useful in attack detection efforts.

Advisory AA23-352A warned that Play is thought to be what is known as a closed ransomware group actor, acting alone to “guarantee the secrecy of deals” when it comes to the exfiltrated data that is held to ransom. The ransom notes that are left with the victim do not, the advisory stated, “include an initial ransom demand or payment instructions; rather, victims are instructed to contact the threat actors via email.” Those emails have one of two German email domains, but the actual email address is unique in every case. “A portion of victims are contacted via telephone,” the FBI said, “and are threatened with the release of the stolen data and encouraged to pay the ransom.” These tactics are designed to lead the victim straight onto a negotiation footing where the attacker has the upper hand.

ForbesNew FBI Warning — Hang Up And Do This NowBy Davey Winder

Thought to be linked to a North Korean state-sponsored attack group, one that is known to be part of the Democratic People’s Republic of Korea’s “Reconnaissance General Bureau,” known as Andariel, Play ransomware is thought to be distributed by threat groups including Balloonfly. Researchers have expressed the opinion that Play forms an “integral part” of the Andariel cyberattack arsenal.

Using a malware backdoor to infect Windows systems, Balloonfly has been linked to multiple incidents involving the deployment of Play ransomware, according to Symantec Threat Hunter researchers, mostly against businesses across the U.S. and Europe.

The Microsoft Threat Intelligence Center and Microsoft Security Response Center previously found Play ransomware being deployed after threat actors used a zero-day security vulnerability in the Windows Common Log File System. That vulnerability, CVE-2025-29824, was mitigated by the April Patch Tuesday release. Other vulnerabilities, that have been known to have been exploited by the Play ransomware attackers, have included CVE-2022-41040 and CVE-2022-41082, which affected Microsoft Exchange Server, and CVE-2020-12812 and CVE-2018-13379 impacting Fortinet’s FortiOS. All of which have been patched, but it bears repeating that if you haven’t patched these yet, you need to do so as a matter of some critical urgency.

The FBI security advisory also confirmed that Play ransomware attackers are gaining initial access by exploiting “external-facing services such as Remote Desktop Protocol and Virtual Private Networks.” Once inside a network, Play ransomware actors move laterally by employing well-known command and control applications such as Cobalt Strike and SystemBC, alongside tools including PsExec. “Once established on a network, the ransomware actors search for unsecured credentials and use the Mimikatz credential dumper to gain domain administrator access,” The FBI warned.

ForbesWarning Issued As Android Attack Turns Your Contacts Into HackersBy Davey Winder

Sometimes, way too oftentimes, in fact, it can feel like every day is a critical attack warning day when you work in the cybersecurity field. And so, I’m sorry to have to report, that the FBI has issued yet another cybersecurity alert, number I-060525-PSA, that you consumers in particular need to pay very close attention to. This one involves what the FBI advisory refers to home internet-connected devices, or what normal people would call smart devices, and an ongoing threat of compromise by cybercriminals using them for malicious purposes through something known as a BADBOX 2.0 botnet attack.

The cybersecurity advisory, this time in conjunction with the Internet Crime Complaint Center, better known as IC3, exists to warn the public about the ongoing attacks that are targeting everything from streaming devices, digital picture frames, third-party aftermarket automobile infotainment systems and other assorted home smart devices. The commonality between them, apart from being targeted by the BADBOX 2.0 threat actors, is that the vast majority cite China as the country of manufacture. This is important because, the FBI said, the cybercriminals are often gaining access to home networks by “configuring the product with malicious software prior to the user’s purchase.” However, infections can also occur during mandatory software downloads and updates during the initial setup process that install a malicious backdoor, the FBI warned.

BADBOX itself was first observed during 2023 before the campaign was successfully disrupted a year later, at the time it targeted devices using the Android operating system and, once again, infected these during the supply process. This new, ongoing, and equally dangerous campaign has already compromised “millions of infected devices,” according to the FBI advisory, and the threat actors behind it are exploiting these by “selling or providing free access to compromised home networks to be used for various criminal activity.”

“The BADBOX 2.0 scheme is bigger and far worse than what we saw in 2023 in terms of the uptick in types of devices targeted,” Gavin Reid, chief information security officer at bot detection experts HUMAN, said, “the number of devices infected, the different types of fraud conducted, and the complexity of the scheme.”

ForbesWarning As Cartier Hacked — What You Need To KnowBy Davey Winder

The FBI cybersecurity advisory recommended that members of the public be on the lookout for the following indicators of compromise related to Chinese-manufactured smart home devices and aftermarket vehicle infotainment systems.

I would recommend that you ensure all of your operating systems, software, and firmware is up to date, across all devices including your routers. “Timely patching is one of the most efficient and cost-effective steps to minimize exposure to cybersecurity threats,” the FBI said, “prioritize patching firewall vulnerabilities and known exploited vulnerabilities in internet-facing systems.”

ForbesGoogle’s 7-Day Gmail Account Hack Warning — Act NowBy Davey Winder

The Play ransomware campaign shows no sign of slowing down. For that to happen, organizations need to up their game and get their defenses in order. Erecting mitigation barricades is the only answer to such determined ransomware actors.

The FBI has recommended the following mitigating actions to be taken as a matter of some urgency:

ForbesMillions Of Linux Passwords Are Now At RiskBy Davey Winder