惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Martin Fowler
Martin Fowler
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Troy Hunt's Blog
Latest news
Latest news
Vercel News
Vercel News
S
SegmentFault 最新的问题
V
Vulnerabilities – Threatpost
博客园 - Franky
P
Privacy International News Feed
A
Arctic Wolf
T
The Blog of Author Tim Ferriss
S
Schneier on Security
T
The Exploit Database - CXSecurity.com
P
Palo Alto Networks Blog
T
Tor Project blog
Jina AI
Jina AI
GbyAI
GbyAI
The Hacker News
The Hacker News
博客园 - 叶小钗
Google DeepMind News
Google DeepMind News
T
Threatpost
C
CERT Recently Published Vulnerability Notes
P
Proofpoint News Feed
Scott Helme
Scott Helme
WordPress大学
WordPress大学
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Microsoft Azure Blog
Microsoft Azure Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园 - 司徒正美
A
About on SuperTechFans
Recorded Future
Recorded Future
爱范儿
爱范儿
L
LangChain Blog
V
V2EX
C
Cybersecurity and Infrastructure Security Agency CISA
The Cloudflare Blog
阮一峰的网络日志
阮一峰的网络日志
K
Kaspersky official blog
Webroot Blog
Webroot Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
D
DataBreaches.Net
宝玉的分享
宝玉的分享
Google Online Security Blog
Google Online Security Blog
C
Cisco Blogs
L
Lohrmann on Cybersecurity
Help Net Security
Help Net Security
AWS News Blog
AWS News Blog
M
MIT News - Artificial intelligence
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
GRAHAM CLULEY

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Play’s New Tactics Bypass Traditional Defenses. Are You Ready?
2025-06-12 · via Vectra AI Blog

The latest government advisory from CISA highlights that Play is now using a new software vulnerability (CVE-2024-57727) in a tool called SimpleHelp, which is often used by IT teams to manage computers remotely. Once Play gets in, they use PowerShell (a common admin tool) to take control, which means they’re blending in with normal activity and avoiding many traditional defenses.

Even more worrying, the ransomware itself is custom-built for every attack. That means tools that rely on spotting known malware files won’t work — because there are no reused files to detect. Every attack looks different on the surface.

So, if your defenses are based on known threats and fixed indicators, they may already be out of date. To stop Play now, you need security that looks for behavior, not just files.

New clues for detection: what to watch for now

One of the biggest changes in how Play ransomware operates is the use of custom tools (many of which have only recently been spotted in the wild). These tools are designed to steal sensitive data, shut down security systems, and quietly move through your network before encryption ever begins.

Some examples flagged by the FBI and CISA:

  • HRsword.exe: shuts down antivirus protections so Play can operate unnoticed.
  • Grixba: gathers information about your network and security tools.
  • Usysdiag.exe: tampers with Windows certificate settings, potentially weakening system trust.
  • Custom PsExec: a modified version of a well-known tool used for remote command execution.

What’s critical here is that these aren’t random hacking tools. They are purpose-built to work together, allowing Play to quietly disable defenses, find valuable data, and prepare for encryption without triggering alerts.

Security teams need to move beyond basic threat signatures and instead focus on detecting suspicious behaviors like:

  • Tools that suddenly start scanning your Active Directory.
  • Files being compressed in large volumes (a sign of data theft).
  • Unusual remote access activity using legitimate-looking tools.

If your security operations team isn’t yet looking for these patterns across network traffic and identity activity, it’s time to upgrade your detection strategy.

The pressure tactics are escalating

Play isn’t just using more advanced tools, they’re also getting more aggressive with their victims. Once inside a company’s network, Play follows a double-extortion strategy: they steal data before encrypting it, then demand payment not just to unlock systems, but to prevent public leaks.

What’s new in 2025 is how personal their pressure tactics have become.

According to the updated CISA advisory:

  • Victims receive ransom notes via email, but these don’t include payment instructions. Instead, companies are told to contact a unique email address (ending in @gmx.de or @web.de).

Ransomware note from play showing a simple email address the victim needs to contact

Source: ransomware.live
  • In many cases, threat actors call the company directly (often using publicly available numbers like customer support lines) to pressure employees into responding and paying.

This marks a shift from technical extortion to human-driven harassment. It adds a layer of stress and confusion, especially when employees outside the security team are targeted.

For CISOs, this means two things:

  1. Incident response planning must include communications and HR, not just IT. Help desk and support teams should know how to recognize and report suspicious calls or emails.
  2. Legal and PR preparation is now essential. If Play follows through on data leak threats, the fallout won’t just be technical. It could impact brand trust, compliance, and customer relationships.

The takeaway? Play is evolving from a ransomware group to a fully operational extortion business, using every angle (technical, emotional, and reputational) to force payment.

ESXi servers are now a prime target

Play isn’t just going after Windows machines anymore. Their latest attacks include a version of their ransomware specifically designed to hit VMware ESXi servers: the systems many organizations use to run virtual machines.

Why this matters: ESXi environments often host critical business services, and attackers know that if they bring those down, they have maximum leverage to demand payment.

Here’s what the updated CISA report reveals about Play’s ESXi tactics:

  • The ransomware shuts down all running virtual machines before encrypting files (this ensures maximum disruption).
  • It targets specific file types related to virtual machines (like .vmdk, .vmem, and .nvram).
  • It places a custom ransom note directly into the system and even changes the ESXi login message to show the ransom demand.
  • Like the Windows version, this ESXi variant is custom-built for each victim, making it harder to detect using traditional antivirus or static rules.

This is a major development. Many security tools still struggle with visibility and protection inside ESXi environments — especially agent-based ones that aren’t designed for hypervisors.

How Vectra AI helps you detect and stop Play

Play ransomware’s new tactics (custom tooling, behavior evasion, ESXi targeting, and psychological pressure) show just how quickly attackers are adapting.

The truth is, most traditional tools can't keep up. Static IOCs, file-based detection, and basic antivirus weren’t built for this kind of threat.

That’s where the Vectra AI Platform makes the difference.

Unlike legacy tools that rely on spotting known malware, Vectra AI continuously analyzes behavior across your hybrid environment.

Here’s how that helps you stay ahead of Play:

Coverage across the entire hybrid attack surface

Play targets everything, from Active Directory and VPNs to cloud environments and ESXi servers. Vectra AI delivers agentless, real-time visibility across all of it. That includes:

  • Monitoring identity activity across Azure AD and on-prem AD
  • Observing lateral movement and privilege escalation inside the network
  • Detecting abuse in virtualized environments like ESXi, even when traditional tools go blind

Clarity through AI-driven signal, not alert noise

When Play moves, it doesn’t trigger obvious alarms. It blends in, using stolen credentials and IT tools like PowerShell or PsExec. Vectra AI cuts through the noise with AI-driven behavioral analysis, spotlighting:

  • Abnormal account behavior tied to known attacker patterns
  • Suspicious file encryption and data staging activity
  • Use of backdoors and custom tooling even if it’s never been seen before

Control to respond before impact

Play's custom binaries and per-target builds are designed to evade slow responders. Vectra AI empowers SOC teams with:

  • Automatic prioritization of the highest-risk behaviors
  • Context-rich detections that reduce time to investigation
  • Actionable insights to contain threats early, before encryption begins

Ready to see how it works?

Watch a self-guided demo of the Vectra AI Platform and learn how you can detect and stop Play—before the encryption starts.