Cybersecurity researchers have discovered a new Linux variant of the Play ransomware, also known as Balloonfly and PlayCrypt, specifically targeting VMware ESXi environments. This suggests that the ransomware group may be expanding its attacks across the Linux platform, potentially increasing their victim pool and improving ransom negotiation outcomes, according to a report from Trend Micro.
Play ransomware, first identified in June 2022, employs double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment for a decryption key. As of October 2023, the ransomware group had victimized approximately 300 organizations, according to estimates from Australia and the U.S.
Statistics from Trend Micro for the first seven months of 2024 reveal that the U.S. has the highest number of Play ransomware victims, followed by Canada, Germany, the U.K., and the Netherlands. The top industries affected include manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate.
The analysis of the Linux variant of Play ransomware was based on a RAR archive file hosted on an IP address (108.61.142[.]190), containing tools like PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor, commonly used in previous attacks. While no actual infection was observed, the command-and-control (C&C) server hosts these tools, indicating that the Linux variant might use similar tactics, techniques, and procedures (TTPs).
Upon execution, the ransomware confirms it is running in an ESXi environment before encrypting virtual machine (VM) files, appending the extension “.PLAY” to them, and dropping a ransom note in the root directory.
Further analysis suggests that the Play ransomware group is using services provided by Prolific Puma, which offers illicit link-shortening services to other cybercriminals, helping them evade detection while distributing malware. Specifically, the ransomware employs a registered domain generation algorithm (RDGA) to generate new domain names, a technique used by various threat actors for phishing, spam, and malware propagation.
Play Ransomware Expands to #Linux VMWare ESXi!
A new variant of the Play #ransomware is now targeting VMWare ESXi environments, broadening its reach across Linux platforms.
Read full article at The Hacker News: https://t.co/7r0BjcOo7J
With over 300 organizations already… pic.twitter.com/n9sNVTwUJY
— Mohit Kumar (@unix_root) July 22, 2024
The latest findings indicate a potential collaboration between cybercriminal entities, with the Play ransomware actors leveraging Prolific Puma’s services to bypass security protocols.
“ESXi environments are high-value targets for ransomware attacks due to their critical role in business operations,” Trend Micro concluded. The ability to encrypt numerous VMs simultaneously and the valuable data they contain make them particularly lucrative for cybercriminals.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.