Play Ransomware Targets Managed Service Providers for Downstream Access

Monday, March 9, 2026 at 03:00 PM UTC·Source: CISA / MS-ISAC Advisory

Updated: Tuesday, March 10, 2026 at 11:00 AM UTC

Executive Summary

Play ransomware compromises three MSPs to deploy ransomware across 120+ downstream client organizations simultaneously.

Analysis

Play ransomware group compromised three managed service providers using FortiOS vulnerabilities, then used the MSPs remote management tools to deploy ransomware to over 120 client organizations. Downstream victims span healthcare, legal, accounting, and manufacturing sectors. CISA has issued specific guidance for MSPs on securing RMM tools.

Timeline

Discovered

Mar 5, 2026

Exploitation Detected

Mar 5, 2026

Published

Mar 9, 2026

Source Attribution

Originally published by CISA / MS-ISAC Advisory on Mar 9, 2026. Verified by: CISA, MS-ISAC.

Related Threats

CRITICALApt

7 tips for accelerating cyber incident recovery

Despite strong and redundant defenses, enterprises remain vulnerable to a wide range of cyberattacks. And because attacks — and cyber incidents — are inevitable, developing an incident response and recovery process that’s quick, comprehensive, and coordinated is essential. Expediting incident recovery time is critical because the longer an outage persists, the more costs, risk, and business disrup

3h agoCSO Online

MEDIUMMalware

IT threat evolution in Q1 2026. Mobile statistics

This report contains mobile threat statistics for Q1 2026, along with noteworthy discoveries and quarterly trends: new versions of SparkCat and Triada.

1d agoSecurelist (Kaspersky)

HIGHRansomware

IT threat evolution in Q1 2026. Non-mobile statistics

The report presents key trends and statistics on malware that targeted personal computers running Windows and macOS, as well as Internet of Things (IoT) devices, during Q1 2026.

1d agoSecurelist (Kaspersky)