The FBI and CISA confirmed what independent incident-response data already suggested: Play ransomware surged 70% in recent months, weaponizing IoT botnets against critical infrastructure. For teams running GPU clusters, medical imaging, and OT networks these aren't abstract threats. This is a concrete defensive structure, not a sales pitch.
Play emerged in 2022 as “Playcrypt,” hitting smaller businesses. Today's operation is different — roughly 900 organizations compromised as of May 2025 (FBI/CISA advisory, June 4, 2025), with a shift from spray-and-pray to precision strikes on high-value infrastructure. Recovery costs average $4.45M per incident; prevention is the cheaper line item.
What makes Play dangerous in enterprise environments:
BadBox 2.0 turns smart devices into beachheads. Every unmanaged device becomes a potential pivot point into core infrastructure — which is why device isolation, not just endpoint AV, is the control that matters here.
The UnitedHealth breach showed the cascade. The Change Healthcare subsidiary attack affected 190 million individuals and shut down pharmacy networks nationwide (Reuters, May 15, 2025) — stock dropped, executives resigned, guidance withdrew. The lessons generalize:
Australia's ACSC joining the Play advisory signals international concern; cross-border attacks complicate both response and legal frameworks.
Modern groups specifically target GPU-dense environments — concentrated compute that often processes sensitive data, where encryption causes maximum operational disruption. The specific exposure:
Healthcare is acute: GPU-accelerated medical imaging can't tolerate downtime, so every minute of encryption costs more than revenue.
Based on the FBI/CISA indicators, prioritize these — in order.
Play exploits remote-management tools like SimpleHelp. Audit all RMM (SimpleHelp, ScreenConnect, TeamViewer); put administrative access behind jump boxes to cut direct exposure; deploy application-aware firewalls to block unauthorized remote tools; and enforce MFA on every external-facing service, no exceptions.
Create dedicated VLANs for all IoT devices with complete isolation from production; deploy IoT-specific gateways watching east-west traffic; write strict firewall rules so IoT devices can't reach GPU clusters; and keep medical-device firmware patched ahead of exploitation.
Implement GPU-level isolation (MIG or equivalent); deploy GPU monitoring that detects cryptomining or encryption activity; enforce least privilege with separate accounts for GPU management; and keep driver stacks current.
Integrate Play IoCs into the SIEM immediately; alert on GPU-utilization spikes that indicate encryption; deploy deception (honeypot GPU nodes) to catch lateral movement; and staff 24/7 SOC coverage during active targeting windows.
Healthcare's interconnected ecosystem amplifies impact — UnitedHealth proved that securing your own infrastructure isn't enough when a vendor compromise cascades into your operations. Require SOC 2 Type II (or equivalent) in vendor assessments; route vendor connections through isolated DMZs; mandate 24-hour breach notification contractually; and maintain backup vendor relationships so you can pivot fast during an incident. The threat landscape evolved — defenses have to evolve faster. These are the same defense-in-depth patterns I apply in my own on-prem infrastructure work: layered controls, isolation, and recovery you can actually test.
