AHA Warns Healthcare Sector of Rising Ransomware Threat

The American Hospital Association (AHA) has issued a warning to hospitals and healthcare organizations about the growing threat posed by the Play ransomware group, also known as Playcrypt. The group is increasingly targeting the sector with double-extortion tactics.

This alert follows an updated joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre (ACSC) detailing Play’s latest methods. According to the FBI, as of May 2025, Play has compromised around 900 organizations across North America, South America, and Europe, including critical infrastructure and healthcare entities.

“Play ransomware poses a serious risk to care delivery, both through direct attacks and by targeting third-party suppliers,” said Scott Gee, AHA’s Deputy National Adviser for Cybersecurity and Risk.

What Is Play Ransomware?

Play is a double-extortion ransomware group that first emerged in 2022. It encrypts systems and steals sensitive data, pressuring victims to pay ransoms under the threat of public exposure. Its ransom notes do not include a demand amount; instead, they instruct victims to initiate contact via unique email addresses such as @gmx.de or @web[.]de.

Some victims are contacted by phone and threatened with data leaks to push for payment.

Evolving Tactics

Recent intelligence highlights how Play gains initial access through:

• Stolen credentials from the dark web
  
• Exploitation of known vulnerabilities in Fortinet, Microsoft Exchange, RDP, and VPNs
  
• Abuse of SimpleHelp remote monitoring tool vulnerabilities (CVE-2024-57727)
  

Once inside, Play uses tools like Cobalt Strike, SystemBC, PsExec, and Mimikatz to move laterally and escalate privileges. Their ransomware binaries are now custom-compiled per attack, generating unique hashes to evade antivirus detection.

Play is believed to be a closed group, limiting membership to maintain operational secrecy.

Recommended Defenses

AHA and federal agencies urge organizations to take the following actions:

• Patch all known vulnerabilities exploited by Play
  
• Update software and systems regularly.
  
• Conduct routine vulnerability scans.
  
• Implement phishing-resistant multi-factor authentication (MFA), particularly for webmail, VPNs, and systems handling sensitive data.
  

“Strong cybersecurity practices including MFA, VPN controls, and timely patching remain the best defense,” said Gee.

Healthcare providers are advised to stay alert and proactively strengthen their cyber defenses to reduce the risk of ransomware-related service disruptions and data breaches.