The Play ransomware group [1] [2] [3] [4] [5] [6] [7] [8] [9], also known as Balloonfly and PlayCrypt [7] [8], has recently expanded its operations to target VMware ESXi servers with a new Linux variant.
Description
This variant encrypts virtual machine files with the “PLAY” extension and utilizes tools like PsExec, WinSCP [2] [6] [9], NetScan [9], and established ESXi-specific commands for lateral movement and encryption. Trend Micro’s analysis has revealed the use of a registered domain generation algorithm (RDGA) and a connection to the threat actor Prolific Puma, highlighting the need for strong security measures in ESXi environments [4]. This marks the first time Play has targeted ESXi servers [1], indicating a broader attack strategy on the Linux platform [1]. The ransomware is distributed alongside its Windows counterpart in a RAR file and has demonstrated the ability to evade detection [9], with zero detections on VirusTotal [9]. The ransom note dropped by the ransomware includes instructions and links to the Tor network for ransom payment [9], impacting data stored within VMs and potentially encrypting backups [9]. Play’s attacks on ESXi servers pose a critical threat to enterprise infrastructure [5], as the hypervisor plays a central role in managing virtualized resources [5]. The ransomware group has impacted approximately 300 organizations [8], with the United States being the most affected, across industries such as manufacturing, IT [2], retail [2], and financial services [2] [9]. Play’s use of double extortion tactics increases pressure on victims to pay ransoms [5], with the inclusion of commonly used tools for lateral movement and persistence underscoring the severity of the threat. The connection between Play ransomware and the Prolific Puma group [9], known for providing infrastructure and services to other cybercriminals [9], is evident [9]. This development could lead to an increased victim pool and higher chances of successful ransom negotiations [7].
Conclusion
The ransomware attacks on ESXi servers by the Play group have significant implications for enterprise security, highlighting the importance of robust security measures in virtualized environments. Organizations must take proactive steps to protect their systems and data from such threats, including implementing strong security protocols and regularly updating defenses. The connection to the Prolific Puma group underscores the evolving nature of cyber threats and the need for constant vigilance in the face of sophisticated adversaries.
References
[1] https://www.techradar.com/pro/security/this-dangerous-new-linux-malware-is-going-after-vmware-systems-with-multiple-extortion-attempts
[2] https://nsaneforums.com/news/security-privacy-news/new-linux-variant-of-play-ransomware-targeting-vmware-esxi-systems-r24340/
[3] https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html
[4] https://www.infosecurity-magazine.com/news/play-ransomware-target-vmware-esxi/
[5] https://www.scmagazine.com/news/vmware-esxi-servers-targeted-by-new-linux-ransomware-variant
[6] https://foresiet.com/blog/new-linux-variant-of-play-ransomware-targeting-vmware-esxi-systems
[7] https://www.blackhatethicalhacking.com/news/new-linux-variant-of-play-ransomware-targets-vmware-esxi-environments/
[8] https://www.cloudways.com/blog/new-linux-variant-of-play-ransomware-targets-vmware-esxi-systems/
[9] https://cybermaterial.com/play-ransomware-targets-esxi-servers/
