Play Ransomware Expands to Target VMWare ESXi Environments

Security

The Play ransomware group has introduced a Linux variant of its malware that specifically targets VMWare ESXi environments, according to recent findings from Trend Micro. 

First detected in June 2022, the Play ransomware has gained notoriety for its sophisticated double-extortion tactics, custom-built tools and significant impact on organizations, especially in Latin America.

Expansion to ESXi Environments

According to an advisory published by Trend Micro last week, this is the first recorded instance of Play ransomware focusing on ESXi environments, suggesting an expansion of its attack strategies across the Linux platform. This move potentially increases the victim pool and could lead to more successful ransom negotiations. 

VMWare ESXi environments are crucial for businesses as they host multiple virtual machines (VMs) running essential applications and data. Compromising these systems can severely disrupt operations and even compromise backups, making recovery efforts more difficult.

Infection Chain and Tools Used

The research highlights that from January to July 2024, the US has seen the highest number of Play ransomware victims. The manufacturing and professional services sectors have been the most affected. A significant concern is the ransomware’s ability to evade security detections, with the Linux variant showing zero detections in VirusTotal.

The infection chain of this ransomware variant includes various tools such as PsExec, NetScan, WinSCP, WinRAR and the Coroxy backdoor, which are hosted on the same IP address previously associated with Play ransomware attacks. 

The sample analyzed by TrendMicro runs ESXi-related commands to confirm it is operating within an ESXi environment before proceeding with its malicious routines. If these commands are missing, the ransomware terminates itself, avoiding detection.

Read more on Play Ransomware: US and Australia Warn of Play Ransomware Threat

The Play ransomware executes shell script commands to scan and power off all VMs in the environment, then encrypts VM files, including critical data and appends the extension “.PLAY” to affected files. A ransom note is then displayed, both in the ESXi client login portal and in the root directory.

Connection to Prolific Puma

Additionally, the study reveals a connection between the Play ransomware group and another threat actor known as Prolific Puma. Prolific Puma is notorious for generating domains using random algorithms and offering link-shortening services to cybercriminals to evade detection. 

ESXi environments, being high-value targets, require robust security measures to mitigate ransomware attacks. 

Recommended practices include regular patching and updates, virtual patching, addressing misconfigurations, implementing strong access controls, network segmentation, minimizing attack surfaces, maintaining offline backups, and deploying security monitoring and incident response solutions.

Products You May Like

Articles You May Like

CISOs Turn to Indemnity Insurance as Breach Pressure Mounts
Massive Telecom Hack Exposes US Officials to Chinese Espionage
Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials
PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs Released
New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration

Leave a Reply

Your email address will not be published. Required fields are marked *