The American Hospital Association has issued a serious warning:
Play ransomware is actively targeting healthcare organizations, exploiting vulnerabilities in remote monitoring and management (RMM) tools. This is not a theoretical risk. It’s a real, evolving threat that bypasses traditional detection methods and puts patient data, operations, and trust on the line.
Understanding how Play works, and why its tactics are uniquely dangerous, is the first step toward better protection.
Play ransomware, also known as Playcrypt, is a malicious software strain first identified in 2022. Since its emergence, it has impacted a wide range of organizations across North America, South America, and Europe, including public institutions, critical infrastructure, and global brands.
It’s not just the damage that makes Play dangerous. It’s how it operates.
1. Double Extortion
Play actors use a two-phase attack: first they steal sensitive data, then they encrypt systems. Victims are threatened with public data leaks if they don’t pay the ransom.
2. No Fixed Ransom Demand
Unlike most ransomware operations, Play does not present a clear ransom amount or automated payment site. Victims are told to reach out via email. In some cases, attackers initiate contact directly, even by phone.
3. Intermittent Encryption
Instead of locking every file, Play encrypts only portions—enough to render them unusable but light enough to bypass many legacy security tools.
4. Tool-Based Infiltration
Play ransomware operators leverage legitimate administrative tools, including:
These are used to move laterally, collect credentials, map networks, and disable defenses. In several cases, Play has also been observed targeting VMware ESXi environments.
Play actors often gain initial access by exploiting vulnerabilities in public-facing systems like RDP, VPNs, and especially RMM tools, widely used in healthcare for managing distributed devices and infrastructure.
Once compromised, RMMs give attackers direct access to sensitive systems, often with elevated privileges. The same tools healthcare relies on for efficiency can become a fast track for network-wide compromise.
The AHA’s warning highlights this vector as a high-priority risk.
Play operates as a ransomware-as-a-service (RaaS) model. Affiliates, who are granted access to the malware, first exfiltrate sensitive documents, then deploy ransomware, using stolen data as leverage.
RaaS is a malicious version of the legitimate Software-as-a-Service (SaaS) business model. Instead of offering useful software, RaaS operators create and maintain ransomware platforms that they rent or sell to other cybercriminals, known as affiliates. This model lowers the barrier to entry, allowing attackers with limited technical skills to launch advanced ransomware campaigns. The result is a surge in the number and reach of potential threats.
A few factors set Play apart from other ransomware groups:
Based on guidance from the FBI, CISA, and the Australian Cyber Security Centre, along with Techio’s in-field expertise, here’s what healthcare IT leaders should prioritize:
1. Update and Patch
Immediately apply updates to all operating systems, RMM platforms, VPNs, and any public-facing services. Focus on known vulnerabilities in FortiOS, Microsoft Exchange, and similar services.
2. Secure Your RMM Environment
3. Enable MFA
Apply multifactor authentication across all systems, especially for administrator accounts, VPN access, and email platforms.
4. Run a Full Vulnerability Assessment
Scan your environment regularly and prioritize high-risk exposures, particularly in third-party tools and legacy systems.
5. Maintain and Test Backups
Ensure backups are offline, secure, and regularly tested for restoration. Avoid relying on shadow copies alone.
6. Prepare Your Incident Response Plan
Build and rehearse a clear ransomware response playbook. Define roles, communications, and legal protocols before an incident occurs.
7. Monitor for Lateral Movement
Implement endpoint detection and response (EDR) tools that go beyond signature-based detection. Watch for suspicious use of admin tools or file changes.
8. Employee Training
Train staff to spot phishing emails, suspicious links, and social engineering tactics. Regular simulations and clear protocols help reduce human error and strengthen your first line of defense.
Per the AHA, “The double-layered extortion model and encryption of systems, as well as theft of data, pose a serious potential risk to hospitals and the delivery of health care.” This is not just a cybersecurity issue. It’s a care delivery issue.
Play ransomware is built to evade, escalate, and exploit. The longer vulnerabilities sit unaddressed the greater the risk.
Need help assessing your current posture? Let’s help you identify RMM risks and strengthen the I/O foundation your systems rely on every day.