New Linux Variant of Play Ransomware Targets VMware ESXi Environments

by | Jul 22, 2024 | News




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Cybersecurity researchers have identified a new Linux variant of the Play ransomware strain, also known as Balloonfly and PlayCrypt, which specifically targets VMware ESXi environments. This development indicates that the ransomware group may be expanding its reach across the Linux platform, potentially increasing its victim pool and the likelihood of successful ransom negotiations.

Overview of Play Ransomware

  • First Appearance: June 2022
  • Tactics: Double extortion, involving data exfiltration followed by system encryption.
  • Victim Count: Estimated 300 organizations as of October 2023 (based on reports from Australia and the U.S.).

Impact and Spread

Trend Micro’s analysis for the first seven months of 2024 shows the highest number of victims in:

  • United States
  • Canada
  • Germany
  • United Kingdom
  • Netherlands

Industries Affected:

  • Manufacturing
  • Professional Services
  • Construction
  • IT
  • Retail
  • Financial Services
  • Transportation
  • Media
  • Legal Services
  • Real Estate

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Technical Analysis of the Linux Variant

Trend Micro discovered the Linux variant in a RAR archive file on IP address 108.61.142[.]190. This file also contained tools commonly used in previous attacks, such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.

Behavior and Capabilities

  • Environment Check: Ensures it runs in an ESXi environment.
  • File Encryption: Encrypts VM files (disk, configuration, metadata) and appends “.PLAY” to them.
  • Ransom Note: Dropped in the root directory.

No actual infections were observed, but the presence of common tools used in Play ransomware attacks suggests the Linux variant might employ similar tactics, techniques, and procedures (TTPs).

Infrastructure and Distribution

The Play ransomware group is likely leveraging the services and infrastructure provided by Prolific Puma, a service that offers illicit link-shortening to help cybercriminals evade detection. This service uses a registered domain generation algorithm (RDGA), a sophisticated mechanism for creating numerous domain names to support malicious activities.

RDGA vs. DGA

  • RDGA: The algorithm remains secret, and all generated domains are registered by the threat actor.
  • DGA: The algorithm is embedded in the malware, which can be discovered, and not all generated domains are registered.

Applications:

  • RDGA: Used for phishing, spam, and malware propagation.
  • DGA: Primarily for connecting to a malware controller.

 

RDGAs

Revolver Rabbit, another threat actor, has registered over 500,000 domains on the “.bond” TLD for use as C2 servers for the XLoader (aka FormBook) stealer malware, costing approximately $1 million.




Implications and Defense

The collaboration between the Play ransomware actors and Prolific Puma indicates a strategic move to bypass security protocols, making it more challenging for defenders to track and mitigate attacks.

Recommendations

  • Patch and Update: Regularly update and patch ESXi environments to close potential vulnerabilities.
  • Monitor Traffic: Implement network monitoring for unusual domain activity indicative of RDGA patterns.
  • Incident Response: Establish a robust incident response plan to quickly address and mitigate ransomware attacks.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This