Expert Advice: How Play Ransomware Exploits RMM Tools in Healthcare

‍

The American Hospital Association has issued a serious warning:

Play ransomware is actively targeting healthcare organizations, exploiting vulnerabilities in remote monitoring and management (RMM) tools. This is not a theoretical risk. It’s a real, evolving threat that bypasses traditional detection methods and puts patient data, operations, and trust on the line.

Understanding how Play works, and why its tactics are uniquely dangerous, is the first step toward better protection.

What is Play Ransomware?

Play ransomware, also known as Playcrypt, is a malicious software strain first identified in 2022. Since its emergence, it has impacted a wide range of organizations across North America, South America, and Europe, including public institutions, critical infrastructure, and global brands.

It’s not just the damage that makes Play dangerous. It’s how it operates.

How Play Ransomware Works

1. Double Extortion

Play actors use a two-phase attack: first they steal sensitive data, then they encrypt systems. Victims are threatened with public data leaks if they don’t pay the ransom.

2. No Fixed Ransom Demand

Unlike most ransomware operations, Play does not present a clear ransom amount or automated payment site. Victims are told to reach out via email. In some cases, attackers initiate contact directly, even by phone.

3. Intermittent Encryption

Instead of locking every file, Play encrypts only portions—enough to render them unusable but light enough to bypass many legacy security tools.

4. Tool-Based Infiltration‍

Play ransomware operators leverage legitimate administrative tools, including:

• Cobalt Strike
• PsExec
• Mimikatz
• AdFind and BloodHound
  

These are used to move laterally, collect credentials, map networks, and disable defenses. In several cases, Play has also been observed targeting VMware ESXi environments.

A Critical Entry Point: RMM Tools

Play actors often gain initial access by exploiting vulnerabilities in public-facing systems like RDP, VPNs, and especially RMM tools, widely used in healthcare for managing distributed devices and infrastructure.

Once compromised, RMMs give attackers direct access to sensitive systems, often with elevated privileges. The same tools healthcare relies on for efficiency can become a fast track for network-wide compromise.

The AHA’s warning highlights this vector as a high-priority risk.

The Ransomware-as-a-Service (RaaS) Operation

Play operates as a ransomware-as-a-service (RaaS) model. Affiliates, who are granted access to the malware, first exfiltrate sensitive documents, then deploy ransomware, using stolen data as leverage.

RaaS is a malicious version of the legitimate Software-as-a-Service (SaaS) business model. Instead of offering useful software, RaaS operators create and maintain ransomware platforms that they rent or sell to other cybercriminals, known as affiliates. This model lowers the barrier to entry, allowing attackers with limited technical skills to launch advanced ransomware campaigns. The result is a surge in the number and reach of potential threats.

A few factors set Play apart from other ransomware groups:

• Email-only negotiation. There is no Tor site or formal payment portal. Victims are drawn into private, unpredictable negotiation channels.
  
• Shadow volume theft. A custom VSS copying tool lets Play actors extract files even from shadow backups, often used by other applications.
  
• High-profile victims. Targets have included Rackspace, the City of Oakland, Dallas County, Arnold Clark, the Belgian city of Antwerp, Krispy Kreme, and Microchip Technology.
  

Recommended Mitigation Strategies

Based on guidance from the FBI, CISA, and the Australian Cyber Security Centre, along with Techio’s in-field expertise, here’s what healthcare IT leaders should prioritize:

1. Update and Patch

Immediately apply updates to all operating systems, RMM platforms, VPNs, and any public-facing services. Focus on known vulnerabilities in FortiOS, Microsoft Exchange, and similar services.

2. Secure Your RMM Environment

• Limit access to authorized IPs
• Remove unused or unnecessary accounts
• Enforce strong authentication
• Monitor for unusual activity
• Disable remote features not in use
  

3. Enable MFA

Apply multifactor authentication across all systems, especially for administrator accounts, VPN access, and email platforms.

4. Run a Full Vulnerability Assessment

Scan your environment regularly and prioritize high-risk exposures, particularly in third-party tools and legacy systems.

5. Maintain and Test Backups

Ensure backups are offline, secure, and regularly tested for restoration. Avoid relying on shadow copies alone.

6. Prepare Your Incident Response Plan

Build and rehearse a clear ransomware response playbook. Define roles, communications, and legal protocols before an incident occurs.

7. Monitor for Lateral Movement

Implement endpoint detection and response (EDR) tools that go beyond signature-based detection. Watch for suspicious use of admin tools or file changes.

8. Employee Training

‍Train staff to spot phishing emails, suspicious links, and social engineering tactics. Regular simulations and clear protocols help reduce human error and strengthen your first line of defense.

Conclusion

Per the AHA, “The double-layered extortion model and encryption of systems, as well as theft of data, pose a serious potential risk to hospitals and the delivery of health care.” This is not just a cybersecurity issue. It’s a care delivery issue.
Play ransomware is built to evade, escalate, and exploit. The longer vulnerabilities sit unaddressed the greater the risk.

Need help assessing your current posture? Let’s help you identify RMM risks and strengthen the I/O foundation your systems rely on every day.

Schedule 1:1 meeting.

It’s time to audit, secure, and prepare.

‍