New Linux Variant of Play Ransomware Targets VMware ESXi Environments
Cybersecurity researchers have identified a new Linux variant of the Play ransomware strain, also known as Balloonfly and PlayCrypt, which specifically targets VMware ESXi environments. This development indicates that the ransomware group may be expanding its reach across the Linux platform, potentially increasing its victim pool and the likelihood of successful ransom negotiations.
Overview of Play Ransomware
- First Appearance: June 2022
- Tactics: Double extortion, involving data exfiltration followed by system encryption.
- Victim Count: Estimated 300 organizations as of October 2023 (based on reports from Australia and the U.S.).
Impact and Spread
Trend Micro’s analysis for the first seven months of 2024 shows the highest number of victims in:
- United States
- Canada
- Germany
- United Kingdom
- Netherlands
Industries Affected:
- Manufacturing
- Professional Services
- Construction
- IT
- Retail
- Financial Services
- Transportation
- Media
- Legal Services
- Real Estate
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Technical Analysis of the Linux Variant
Trend Micro discovered the Linux variant in a RAR archive file on IP address 108.61.142[.]190. This file also contained tools commonly used in previous attacks, such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.
Behavior and Capabilities
- Environment Check: Ensures it runs in an ESXi environment.
- File Encryption: Encrypts VM files (disk, configuration, metadata) and appends “.PLAY” to them.
- Ransom Note: Dropped in the root directory.
No actual infections were observed, but the presence of common tools used in Play ransomware attacks suggests the Linux variant might employ similar tactics, techniques, and procedures (TTPs).
Infrastructure and Distribution
The Play ransomware group is likely leveraging the services and infrastructure provided by Prolific Puma, a service that offers illicit link-shortening to help cybercriminals evade detection. This service uses a registered domain generation algorithm (RDGA), a sophisticated mechanism for creating numerous domain names to support malicious activities.
RDGA vs. DGA
- RDGA: The algorithm remains secret, and all generated domains are registered by the threat actor.
- DGA: The algorithm is embedded in the malware, which can be discovered, and not all generated domains are registered.
Applications:
- RDGA: Used for phishing, spam, and malware propagation.
- DGA: Primarily for connecting to a malware controller.
Revolver Rabbit, another threat actor, has registered over 500,000 domains on the “.bond” TLD for use as C2 servers for the XLoader (aka FormBook) stealer malware, costing approximately $1 million.
Trending: Deep Dive to Fuzzing for Maximum Impact
Trending: Recon Tool: FinalRecon
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com