Cybersecurity researchers have uncovered a new Linux variant of a ransomware strain known as Play (also called Balloonfly and PlayCrypt) that specifically targets VMware ESXi environments.
“The emergence of this variant suggests an expansion of attacks across the Linux platform, widening the victim pool and potentially increasing ransom negotiation successes,” stated Trend Micro researchers in a report released on Friday.
Play, originating in June 2022, is notable for its double extortion techniques, encrypting systems and demanding payment for a decryption key after exfiltrating sensitive data. Reports from Australia and the U.S. have indicated that up to 300 organizations have fallen victim to this ransomware group by October 2023.
Data from Trend Micro for the first seven months of 2024 shows that the U.S. has the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands.
Industries most affected by Play ransomware during this period include manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate.
Analyzed by the cybersecurity firm, the Linux variant of Play was found in a RAR archive file hosted on an IP address (108.61.142[.]190), containing familiar tools like PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor used in prior attacks.
While no actual infections have been reported, the hosting of common tools on the command-and-control server indicates the Linux variant might employ similar tactics, techniques, and procedures (TTPs) as the original version.
When executed, the ransomware checks for an ESXi environment and proceeds to encrypt virtual machine (VM) files, appending them with the extension “.PLAY” while dropping a ransom note in the root directory.
Further investigation suggests that the Play ransomware group may be utilizing services offered by Prolific Puma, a provider of illicit link-shortening services to aid cybercriminals in evading detection during malware distribution.
Specifically, the group is using a registered domain generation algorithm (RDGA) to create new domain names, a tactic also employed by threat actors like VexTrio Viper and Revolver Rabbit for malicious activities such as phishing, spam, and malware proliferation.
Revolver Rabbit is known to have registered over 500,000 domains on the “.bond” top-level domain (TLD) for more than $1 million, using them as C2 servers for the XLoader (aka FormBook) stealer malware.
RDGAs pose a greater challenge for detection and defense compared to traditional DGAs, enabling threat actors to register multiple domain names for malicious infrastructure use, making them more versatile for a wide range of illicit activities.
The recent findings suggest a potential collaboration between cybercriminal entities to bypass security measures through the services of Prolific Puma, indicating a strategic approach by the Play ransomware actors.
Highlighting the critical role of ESXi environments in businesses, Trend Micro concluded that their efficiency in encrypting multiple VMs simultaneously and storing valuable data make them highly attractive to cybercriminals.
