New Linux Variant of Play Ransomware Targeting VMware ESXi Systems

Introduction

In a recent development, cybersecurity researchers have identified a new Linux variant of the notorious Play ransomware, also known as Balloonfly and PlayCrypt. This variant specifically targets VMware ESXi environments, signaling a strategic expansion by the threat actors behind it. Trend Micro's report published on Friday highlights the potential for a broader victim pool and more effective ransom negotiations as a result of this evolution.

Play Ransomware Overview

First emerging in June 2022, Play ransomware is infamous for its double extortion tactics. This method involves encrypting systems after exfiltrating sensitive data and then demanding a ransom for the decryption key. Estimates from Australian and U.S. authorities suggest that by October 2023, up to 300 organizations had fallen prey to this ransomware group.

Geographic and Industry Impact

From January to July 2024, the U.S. reported the highest number of Play ransomware victims, followed by Canada, Germany, the U.K., and the Netherlands. The ransomware has wreaked havoc across various industries including manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate.

Technical Analysis of the Linux Variant

Trend Micro's analysis of the new Linux variant came from a RAR archive file hosted on an IP address (108.61.142[.]190). This archive contained tools previously identified in Play ransomware attacks such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor. Although no actual infection has been observed yet, the presence of these tools suggests that the Linux variant might use similar tactics, techniques, and procedures (TTPs).

Upon execution, the ransomware checks for an ESXi environment before encrypting virtual machine (VM) files, including VM disk, configuration, and metadata files. These files are then appended with the ".PLAY" extension, and a ransom note is left in the root directory.

Prolific Puma and RDGA Utilization

Further analysis suggests that the Play ransomware group may be leveraging services and infrastructure provided by Prolific Puma. This entity offers an illicit link-shortening service to cybercriminals, aiding them in evading detection while distributing malware. Specifically, Play ransomware employs a registered domain generation algorithm (RDGA) to create new domain names, a sophisticated technique also used by threat actors like VexTrio Viper and Revolver Rabbit for various malicious activities including phishing, spam, and malware propagation.

RDGAs present a significant challenge for detection and defense due to their ability to generate numerous domain names, either all at once or over time, for use in criminal activities. Unlike traditional DGAs, which can be discovered and typically involve unregistered domain names, RDGAs involve pre-registered domain names that are kept secret by the threat actors.

Conclusion

The discovery of a Linux variant of Play ransomware targeting VMware ESXi systems underscores the evolving tactics of cybercriminals. ESXi environments are particularly attractive targets due to their critical role in business operations and the valuable data they hold. As cyber threats continue to advance, businesses must enhance their cybersecurity measures, including stolen credentials detection, darknet monitoring services, digital footprint analysis, and brand protection to safeguard against such sophisticated attacks.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.